Overclock.net - An Overclocking Community - Reply to Topic
Thread: [TC] Hackers dropped a secret backdoor in Asus’ update software Reply to Thread
Title:
Message:

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in


  Additional Options
Miscellaneous Options

  Topic Review (Newest First)
03-30-2019 03:11 AM
epic1337
Quote: Originally Posted by 8051 View Post
An interesting read, but some of those techniques would require access to locked data closets although I guess you could possibly splice into a backbone. Sniffers wouldn't get you passwords and usernames anymore because they haven't been sent as plain text in years. Telnet, FTP and rlogin are similarly dead issues, none of the *ix boxes I have at work allow the use of rlogin, FTP or telnet sessions anymore.

Top end Cisco switches are quite sophisticated and will pick up packet flooding quickly as well as port scanning and alert network admins via automated email.

To use these techniques to hack our corporate network remotely would require compromising a PC that has VPN access through a secureID synced to our system and a login ID or a system already inside the corporate network. IP addresses that are exposed to the public are all on a private network separated from the corporate network -- ditto for public WiFi.

The rlogin/rsh/rcp attack is an interesting avenue of attack, but it would have to be launched from a compromised system from within the corporate network or connecting remotely via VPN, it would also require not only some knowledge of the IP addresses of the systems on the network but a user id that's valid for the targeted system.
it we read between the lines of the news report, we can see that they had most likely done it through a partner developer.

"It’s believed the hackers had access to Asus’ own certificates to sign the malware through Asus’ sprawling supply chain, a factor line of developers and vendors from around the world trusted to develop software and provide components for Asus’ computers. These so-called supply chain attacks are particularly difficult to detect because it often involves targeting a company insider or infiltrating the company directly."

this is effectively them hitting externally and letting the unsuspecting developer upload the compromised file to the server.
03-30-2019 02:30 AM
8051
Quote: Originally Posted by epic1337 View Post
by means of snooping, the fact that they managed to get what they want in this case means they have the ability to do it.

you can read their modus from this:
https://slideplayer.com/slide/8426417/
https://www.trendmicro.com/vinfo/us/...rgeted-attacks
An interesting read, but some of those techniques would require access to locked data closets although I guess you could possibly splice into a backbone. Sniffers wouldn't get you passwords and usernames anymore because they haven't been sent as plain text in years. Telnet, FTP and rlogin are similarly dead issues, none of the *ix boxes I have at work allow the use of rlogin, FTP or telnet sessions anymore.

Top end Cisco switches are quite sophisticated and will pick up packet flooding quickly as well as port scanning and alert network admins via automated email.

To use these techniques to hack our corporate network remotely would require compromising a PC that has VPN access through a secureID synced to our system and a login ID or a system already inside the corporate network. IP addresses that are exposed to the public are all on a private network separated from the corporate network -- ditto for public WiFi.

The rlogin/rsh/rcp attack is an interesting avenue of attack, but it would have to be launched from a compromised system from within the corporate network or connecting remotely via VPN, it would also require not only some knowledge of the IP addresses of the systems on the network but a user id that's valid for the targeted system.
03-29-2019 10:38 PM
epic1337
Quote: Originally Posted by 8051 View Post
Even if you're on the inside of the private network how are you going to know what the internal hostname or IP address is for the file serving host? The network topology for my corporate network isn't public knowledge and I don't even know all the hosts on the corporate network much less the private networks. Attempts to hack root accounts on *ix servers result in auto-generated emails w/source IP address to system admins. Sudo login failures are also logged and auto-generate emails to sys admins.
by means of snooping, the fact that they managed to get what they want in this case means they have the ability to do it.

you can read their modus from this:
https://slideplayer.com/slide/8426417/
https://www.trendmicro.com/vinfo/us/...rgeted-attacks
03-29-2019 10:25 PM
8051
Quote: Originally Posted by epic1337 View Post
yes i'm aware, but you were asking how they'd know the addresses from the inside.
while the external IP doesn't allow SSH it can still leak info through it if you can get a compromised PC inside.
Even if you're on the inside of the private network how are you going to know what the internal hostname or IP address is for the file serving host? The network topology for my corporate network isn't public knowledge and I don't even know all the hosts on the corporate network much less the private networks. Attempts to hack root accounts on *ix servers result in auto-generated emails w/source IP address to system admins. Sudo login failures are also logged and auto-generate emails to sys admins.
03-29-2019 04:06 PM
bmgjet I doubt many desktops would be effect since youd have to go though the effort of installing the update software tool from the CD.
Laptops are where the issue will be since it comes pre-installed. I recently got a new Asus laptop. First thing I did was re-install Win10 from USB with out all the OEM bloat.
03-28-2019 11:11 PM
epic1337
Quote: Originally Posted by 8051 View Post
The public IP address (which undoubtedly disallows SSH) that is pingable from the internet is not necessarily the same IP address found on the private, corporate network (that does allow SSH) and I'll bet they're on completely different physical networks. You can have a computer w/two network connections that is called a dual-homed host that can have two hostnames (one for each MAC address).
yes i'm aware, but you were asking how they'd know the addresses from the inside.
while the external IP doesn't allow SSH it can still leak info through it if you can get a compromised PC inside.
03-28-2019 11:00 PM
8051
Quote: Originally Posted by epic1337 View Post
that would've been the case if this wasn't a public patch/update server, its connected to the main network otherwise those public clients wouldn't be able to get their patches.
The public IP address (which undoubtedly disallows SSH) that is pingable from the internet is not necessarily the same IP address found on the private, corporate network (that does allow SSH) and I'll bet they're on completely different physical networks. You can have a computer w/two network connections that is called a dual-homed host that can have two hostnames (one for each MAC address).
03-28-2019 12:05 PM
Raghar
Quote: Originally Posted by looniam View Post
we have a statement!

Attachment 261796

yes! they posted that on facebook!

I wonder if they replace it by another hacking tool. Security that's only dependent on certificate, or user remote access privileges is bad idea.
03-28-2019 11:34 AM
epic1337
Quote: Originally Posted by 8051 View Post
Not necessarily. You can have a dual-homed host where the external IP address is not the same as the internal IP address and the internal IP address can be on a (virtual or not) private network that blocks external SSH access. What if the host name for the internal IP address is NOT the same as the host name for the external IP address? Have you ever seen a large corporate network topology?
that would've been the case if this wasn't a public patch/update server, its connected to the main network otherwise those public clients wouldn't be able to get their patches.
03-28-2019 10:51 AM
8051
Quote: Originally Posted by epic1337 View Post
in this case its a patch/update server so its obviously connected to the main network, which means to say anyone with administration rights can connect to it.

plus finding out the addresses is just a matter of snooping it.
Not necessarily. You can have a dual-homed host where the external IP address is not the same as the internal IP address and the internal IP address can be on a (virtual or not) private network that blocks external SSH access. What if the host name for the internal IP address is NOT the same as the host name for the external IP address? Have you ever seen a large corporate network topology?
This thread has more than 10 replies. Click here to review the whole thread.

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off