Overclock.net - An Overclocking Community

Overclock.net - An Overclocking Community (https://www.overclock.net/forum/)
-   Software News (https://www.overclock.net/forum/226-software-news/)
-   -   [TC] Hackers dropped a secret backdoor in Asus’ update software (https://www.overclock.net/forum/226-software-news/1723220-tc-hackers-dropped-secret-backdoor-asusa-update-software.html)

JedixJarf 03-25-2019 11:04 AM

[TC] Hackers dropped a secret backdoor in Asus’ update software
 
Quote:

Hackers targeted and compromised “hundreds of thousands” of Asus computer owners by pushing a backdoored update software tool from the company’s own servers.

The bombshell claims, first reported by Motherboard, said the hackers digitally signed the Asus Live Update tool with one of the company’s own code-signing certificates before pushing it to Asus’ download servers, which hosted the backdoored tool for months last year. The malicious updates were pushed to Asus computers, which has the software installed by default.
Time to fire up that old AV scanner

https://techcrunch.com/2019/03/25/asus-update-backdoor/

Laysson 03-25-2019 11:44 AM

So first, they mine with your hardware, then, they infect it ? seriously...

Aenra 03-25-2019 12:48 PM

This is rather amusing :)
We've been saying this for literally decades.. if it's not broken, you don't try fixing it.
Not only do people fail to live by this, they actually allow for "live" updates; c'est la vie ^^

Forgive me for failing to sympathise.
The easiest thing to exploit is your own tendency to be just like the other monkey right next door, block, or city.

I'd be more interested in how this all went down, though am sure it would be over my head.

xJumper 03-25-2019 12:56 PM

Does this have anything to do with Asus motherboard BIOS updates? Whenever I update those I download the .cap file on a USB key and install it manually instead of using the ethernet BIOS ability to download it straight from ASUS servers.

tpi2007 03-25-2019 01:52 PM

One more source, it seems that Asus doesn't come out of this looking very well:

https://www.zdnet.com/article/supply-chain-attack-installs-backdoors-through-hijacked-asus-live-update-software/

Quote:

Kaspersky informed ASUS of the supply chain attack at the end of January. However, Motherboard reports that the PC giant has "been largely unresponsive" since meeting with Kaspersky representatives on this issue.

ASUS denied its servers were compromised when informed of the findings and continued to use one of the compromised certificates involved in the attack for at least a month after notification. The Taiwanese firm has since stopped, but the certificates are yet to be revoked.

The attack has been confirmed by Symantec. ZDNet has not received a response from queries sent to ASUS at the time of writing.

Kree 03-25-2019 04:43 PM

Does anyone have the ASUS Press Release about this? or have they yet to release one?

TFL Replica 03-25-2019 05:16 PM

It's not like the live update tool is anything special or complicated. They should just open-source it.

Kree 03-25-2019 05:55 PM

Quote:

Originally Posted by TFL Replica (Post 27908086)
It's not like the live update tool is anything special or complicated. They should just open-source it.

Is the ASUS Live Update Tool incorporated into MS Windows 10 Updater or is it a standalone executable that comes preinstalled on ASUS manufactured systems and/or a part of the ASUS motherboard installer discs?

8051 03-25-2019 08:00 PM

I wonder how they overwrote the existing Asus Live Update Tool w/their backdoor code? Anyone running a webserver or a firewall should not only be able to prevent files being uploaded from external IP addresses but prevent overwriting of existing files right? Unless it was manipulated from someone inside Asus's corporate network? But even then wouldn't you also need the necessary file/account privileges on the server?

epic1337 03-25-2019 08:30 PM

Quote:

Originally Posted by 8051 (Post 27908274)
I wonder how they overwrote the existing Asus Live Update Tool w/their backdoor code? Anyone running a webserver or a firewall should not only be able to prevent files being uploaded from external IP addresses but prevent overwriting of existing files right? Unless it was manipulated from someone inside Asus's corporate network? But even then wouldn't you also need the necessary file/account privileges on the server?

a compromised administration account would allow all that.


All times are GMT -7. The time now is 11:37 AM.

Powered by vBulletin® Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.

vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.