Shadowhammer
Sources
Risks
ASUS systems with the ASUS Live Update Utility (versions older than v3.6.8) installed may be utterly vulnerable in the hands of malicious attackers (suspected to be state-sponsored).
Risks: Total loss of data confidentiality, data availability, and data integrity.
Description
In January 2019, Kaspersky Labs discovered a supply chain attack that affects ASUS computers. Malicious actors were able to penetrate ASUS' internal systems and install malicious code into the ASUS Live Update Utility, which ships with every ASUS system. Normally the ASUS Live Update Utility is used to automatically update software components such as system drivers and supporting applications, as well as to update systems' BIOS/UEFI. This supply chain attack gives attackers the ability to exploit affected ASUS systems for whatever purposes they like, and since it allows them to potentially install malicious BIOS/UEFI, it should be considered as essentially a rootkit. Estimates of how many systems were impacted vary between 500.000 and 1.000.000. While there is compelling evidence that at this time only approximately 600 systems were actively compromised by the attackers (making this appear to be a targetted attack), nevertheless all of the other systems which have the poisoned ASUS Live Update Utility installed remain extremely vulnerable.
Recommended Actions
- Run the ASUS diagnostic utility to determine whether your system has been affected.
- If you discover that you have been targeted by this operation, please email CERT.be: [email protected]
- If your system is affected, do a complete backup of your files, restore your system to factory settings, and restore your files from backup.
- Update to the latest version of the ASUS Live Update Utility.