Motherboard and Kaspersky unveiled that hackers compromised a server of computer manufacturer ASUS’s live software update tool to install a malicious backdoor on thousands of computers. The malicious file was able to masquerade as an authentic software update as it was signed with legitimate ASUS digital certificates. The manufacturer unwittingly pushed out the backdoor to customers for at least five months before its discovery last year.

At Forrester, we have been tracking this dangerous trend in which cybercriminals use compromised update servers to distribute malware, a trend that has already affected Arch Linux, IBM, and Google. This issue can be hard to detect and thwart, as it allows attackers to deploy signed malware directly to your servers using trusted channels. The very channels you’re using to obtain security updates, cybercriminals are using against you.

Adversaries Have Started Using The Supply Chain To Microtarget Victims

What makes this attack more interesting is the malware was searching and targeting specific systems by their unique MAC addresses. Although around 500,000 machines received the malicious backdoor, attackers appeared to have been only targeting 600 of those systems. If the malware found one of the targeted addresses, it would reach out to a command-and-control server and install additional malware on those machines. This isn’t something new, as exploit kits have long used traffic shaping or TDS (traffic distribution systems) to avoid detection, but this is something that is being leveraged with precision now. Another recent example of this trend occurred last year when Check Point determined that a mobile malware dropper that was coming preinstalled on phones had the ability to load variants of itself for campaign-level control.

The Key Takeaway Should Not Be To Not Use These Update Services

One of the challenges I faced in a past life when trying to develop a whitelisting solution was the extension of trust. Update services are a critical part of staying up to date and not getting owned, but if you decide to extend trust to files created by these update services, you expose yourself to just this scenario. It is critical that organizations implement Zero Trust to ensure that files are not automatically trusted because they come from a “trusted” source or are signed by a “trusted” organization. Do due diligence on everything.

How To Implement Zero Trust To Avoid Poisoning Your Guests

The best practice to ensure that you aren’t poisoning your downstream clients is to perform automated malware analysis as part of your build and signing pipeline . . . and make sure to employ file integrity monitoring on your update servers to detect unauthorized changes.

 

(written with Madeline Cyr, research associate)