Yesterday, Kaspersky Labs broke news that Asus has been infected by malware that it unwittingly pushed out to its own customers. Asus has responded to the news and acknowledged that it was affected, but it also disputes the number of customers that actually installed infected software.
To recap: Kaspersky Labs reported that this new attack, which it named ShadowHammer, was launched in a highly targeted effort to penetrate 600 specific PCs. More than 57,000 users of Kaspersky products have installed the backdoored utility, which was distributed directly by Asus after hackers penetrated its software and made changes to it without changing the file size or triggering other company security measures. Kaspersky estimates that one million Asus customers were impacted (the attack took place between July and November 2018). Kaspersky released an estimate of the number of affected users in each country, though it notes that this distribution could be impacted by the number of Kaspersky users in each location.
Asus has released a new version of its LiveUpdate utility, 3.68, which closes the loophole. The company also claims to have implemented “an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.”
Given the speed with which Asus deployed these fixes, it’s likely been working on them for some time. The question of whether OEMs should be in the business of providing so-called “value-added” software at all is a difficult one. This is far from the first time we’ve seen evidence of major security problems these companies bake into their own laptops as a result of badly secured software. Lenovo, Dell, Samsung, and other firms have all been burned by such issues in recent years. The software world has never found a good answer to this problem. No OEM or developer is immune to the problem of broken updates, including Microsoft, who builds the underlying OS. At the same time, the ability to deliver critical security updates on an ongoing basis is recognized as one of the best ways to keep customer machines secure.
As for who the original attacker was trying to target, or where those ~600 machines are, we don’t know. This wasn’t a random attack. Someone had very specific ideas who they wanted to hit and they knew the MAC addresses to target. That’s arguably the most concerning part of the entire affair. We still have no idea if this attack actually accomplished what it set out to do, whatever that was.
If you have an Asus laptop, make sure LiveUpdate 3.6.8 is installed. Alternatively, uninstall the entire suite of whatever utilities your laptop vendor shoved on to the laptop in the first place. You’ll probably be better off.
Samsung Fined $400M in FinFET Patent Dispute
Samsung has been hit with a $400M fine for failing to license a critical FinFET patent — and that damage could balloon up to $1.2B at the judge's discretion.