[TC] Hackers dropped a secret backdoor in Asus’ update software - Page 4 - Overclock.net - An Overclocking Community

Forum Jump: 

[TC] Hackers dropped a secret backdoor in Asus’ update software

Reply
 
Thread Tools
post #31 of 37 (permalink) Old 03-28-2019, 11:00 PM
New to Overclock.net
 
8051's Avatar
 
Join Date: Apr 2014
Posts: 2,662
Rep: 21 (Unique: 15)
Quote: Originally Posted by epic1337 View Post
that would've been the case if this wasn't a public patch/update server, its connected to the main network otherwise those public clients wouldn't be able to get their patches.
The public IP address (which undoubtedly disallows SSH) that is pingable from the internet is not necessarily the same IP address found on the private, corporate network (that does allow SSH) and I'll bet they're on completely different physical networks. You can have a computer w/two network connections that is called a dual-homed host that can have two hostnames (one for each MAC address).
8051 is offline  
Sponsored Links
Advertisement
 
post #32 of 37 (permalink) Old 03-28-2019, 11:11 PM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,188
Rep: 214 (Unique: 122)
Quote: Originally Posted by 8051 View Post
The public IP address (which undoubtedly disallows SSH) that is pingable from the internet is not necessarily the same IP address found on the private, corporate network (that does allow SSH) and I'll bet they're on completely different physical networks. You can have a computer w/two network connections that is called a dual-homed host that can have two hostnames (one for each MAC address).
yes i'm aware, but you were asking how they'd know the addresses from the inside.
while the external IP doesn't allow SSH it can still leak info through it if you can get a compromised PC inside.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
post #33 of 37 (permalink) Old 03-29-2019, 04:06 PM
High Clocker
 
bmgjet's Avatar
 
Join Date: Nov 2011
Posts: 3,114
Rep: 187 (Unique: 161)
I doubt many desktops would be effect since youd have to go though the effort of installing the update software tool from the CD.
Laptops are where the issue will be since it comes pre-installed. I recently got a new Asus laptop. First thing I did was re-install Win10 from USB with out all the OEM bloat.


SLI Voodoo 2 - > GeForce4 MX 420 -> GF 6600GT -> GF 6800GT -> GF 8800Ultra -> AMD 4870 -> AMD 4890 -> CF AMD 5820 -> CF AMD 6850 -> CF AMD 7970 -> SLI GF 680 -> SLI GF 780 -> CF AMD 290X -> GF 980ti -> SLI GF 980ti -> GF 1080ti -> SLI GF 1080ti -> <- RTX 2080ti (DOA/Refunded)
CPU
AMD 8120
CPU
FX 8350
GPU
7970 CFX
GPU
680 SLI
▲ hide details ▲


bmgjet is offline  
Sponsored Links
Advertisement
 
post #34 of 37 (permalink) Old 03-29-2019, 10:25 PM
New to Overclock.net
 
8051's Avatar
 
Join Date: Apr 2014
Posts: 2,662
Rep: 21 (Unique: 15)
Quote: Originally Posted by epic1337 View Post
yes i'm aware, but you were asking how they'd know the addresses from the inside.
while the external IP doesn't allow SSH it can still leak info through it if you can get a compromised PC inside.
Even if you're on the inside of the private network how are you going to know what the internal hostname or IP address is for the file serving host? The network topology for my corporate network isn't public knowledge and I don't even know all the hosts on the corporate network much less the private networks. Attempts to hack root accounts on *ix servers result in auto-generated emails w/source IP address to system admins. Sudo login failures are also logged and auto-generate emails to sys admins.
8051 is offline  
post #35 of 37 (permalink) Old 03-29-2019, 10:38 PM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,188
Rep: 214 (Unique: 122)
Quote: Originally Posted by 8051 View Post
Even if you're on the inside of the private network how are you going to know what the internal hostname or IP address is for the file serving host? The network topology for my corporate network isn't public knowledge and I don't even know all the hosts on the corporate network much less the private networks. Attempts to hack root accounts on *ix servers result in auto-generated emails w/source IP address to system admins. Sudo login failures are also logged and auto-generate emails to sys admins.
by means of snooping, the fact that they managed to get what they want in this case means they have the ability to do it.

you can read their modus from this:
https://slideplayer.com/slide/8426417/
https://www.trendmicro.com/vinfo/us/...rgeted-attacks

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.

Last edited by epic1337; 03-29-2019 at 10:47 PM.
epic1337 is offline  
post #36 of 37 (permalink) Old 03-30-2019, 02:30 AM
New to Overclock.net
 
8051's Avatar
 
Join Date: Apr 2014
Posts: 2,662
Rep: 21 (Unique: 15)
Quote: Originally Posted by epic1337 View Post
by means of snooping, the fact that they managed to get what they want in this case means they have the ability to do it.

you can read their modus from this:
https://slideplayer.com/slide/8426417/
https://www.trendmicro.com/vinfo/us/...rgeted-attacks
An interesting read, but some of those techniques would require access to locked data closets although I guess you could possibly splice into a backbone. Sniffers wouldn't get you passwords and usernames anymore because they haven't been sent as plain text in years. Telnet, FTP and rlogin are similarly dead issues, none of the *ix boxes I have at work allow the use of rlogin, FTP or telnet sessions anymore.

Top end Cisco switches are quite sophisticated and will pick up packet flooding quickly as well as port scanning and alert network admins via automated email.

To use these techniques to hack our corporate network remotely would require compromising a PC that has VPN access through a secureID synced to our system and a login ID or a system already inside the corporate network. IP addresses that are exposed to the public are all on a private network separated from the corporate network -- ditto for public WiFi.

The rlogin/rsh/rcp attack is an interesting avenue of attack, but it would have to be launched from a compromised system from within the corporate network or connecting remotely via VPN, it would also require not only some knowledge of the IP addresses of the systems on the network but a user id that's valid for the targeted system.
8051 is offline  
post #37 of 37 (permalink) Old 03-30-2019, 03:11 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,188
Rep: 214 (Unique: 122)
Quote: Originally Posted by 8051 View Post
An interesting read, but some of those techniques would require access to locked data closets although I guess you could possibly splice into a backbone. Sniffers wouldn't get you passwords and usernames anymore because they haven't been sent as plain text in years. Telnet, FTP and rlogin are similarly dead issues, none of the *ix boxes I have at work allow the use of rlogin, FTP or telnet sessions anymore.

Top end Cisco switches are quite sophisticated and will pick up packet flooding quickly as well as port scanning and alert network admins via automated email.

To use these techniques to hack our corporate network remotely would require compromising a PC that has VPN access through a secureID synced to our system and a login ID or a system already inside the corporate network. IP addresses that are exposed to the public are all on a private network separated from the corporate network -- ditto for public WiFi.

The rlogin/rsh/rcp attack is an interesting avenue of attack, but it would have to be launched from a compromised system from within the corporate network or connecting remotely via VPN, it would also require not only some knowledge of the IP addresses of the systems on the network but a user id that's valid for the targeted system.
it we read between the lines of the news report, we can see that they had most likely done it through a partner developer.

"It’s believed the hackers had access to Asus’ own certificates to sign the malware through Asus’ sprawling supply chain, a factor line of developers and vendors from around the world trusted to develop software and provide components for Asus’ computers. These so-called supply chain attacks are particularly difficult to detect because it often involves targeting a company insider or infiltrating the company directly."

this is effectively them hitting externally and letting the unsuspecting developer upload the compromised file to the server.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off