Asus pushes patch after hackers used updates to send malware

Kaspersky Lab estimates that the attack could have affected more than a million users.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Asus Zephyrus GX531GS

An Asus laptop.

Sarah Tew/CNET

Thousands of Asus computers were infected with malware from the company's own update tool, researchers from Kaspersky Lab said Monday.

The researchers discovered the attack in January, after hackers took over the Asus Live Update Utility to quietly install malware on devices. The hack was first reported by Motherboard.

On Tuesday, Asus said it's fixed the vulnerability in the latest version of its Live Update tool, meaning you'll have to trust the software to resolve the issue.

"Asus customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," the company said in a statement.

The hack, which Kaspersky Lab is calling Operation ShadowHammer, went on between June and November 2018. Kaspersky Lab found that it affected more than 57,000 people using its products. The Russia-based cybersecurity company was only able to find those numbers for its own users, and estimates that the malware could affect more than a million Asus owners worldwide. 

Symantec, another cybersecurity company, found the same malware from Asus updates, and cited at least 13,000 computers affected by the attack. The company said that 80 percent of victims were consumers, while 20 percent were organizations.

The update tool is preinstalled on the majority of new Asus devices.

The attackers were able to infect devices without raising red flags because they used Asus' legitimate security certificate, which was hosted on the computer manufacturer's servers.

Watch this: Biggest hacks of 2018

Asus is a Taiwan-based computer company, and one of the top consumer notebook vendors in the world, with millions of laptops worldwide. 
"The selected vendors are extremely attractive targets for APT [advanced persistent threat] groups that might want to take advantage of their vast customer base," Vitaly Kamluk, director of Kaspersky Lab's Global Research and Analysis Team, said in a statement.

Malware can arrive on your devices in a lot of ways -- downloading a file from an email, opening a PDF you shouldn't have or via browser-based attacks.
The hack on Asus' automatic update tool points to another kind of concern, in which people have to be worried about patches from the source itself as hackers seek to exploit a trusted relationship. Supply chain attacks are not new: In 2017, the popular software tool CCleaner was hijacked to install malware on millions of computers.

Distrust in automatic updates leads to another kind of threat, as many companies often rely on people to patch their devices to defend against new malware. The majority of computers infected with the WannaCry ransomware, for instance, were hit because they didn't install a security update issued in 2017.  

While it's capable of attacking millions, the malware had a specific set of targets, researchers found. Once it was installed, the backdoor checked the device's MAC address. If it matched one of the hacker's targets, it then installed another set of malware, researchers said.

Kaspersky Lab researchers said they identified more than 600 MAC addresses, and released a tool for people to check whether they were targeted by the attack. The cybersecurity company said it's notified Asus, and the investigation is ongoing.

Asus ROG Mothership and Zephyrus gaming laptops make an impact at CES 2019

See all photos

Originally published March 25 at 7:16 a.m. PT.
Updated March 26 at 6:26 a.m. PT: Includes response from Asus.