Kaspersky Lab has uncovered a new advanced persistent threat (APT) campaign that has affected a large number of users worldwide through what is known as a supply chain attack. A supply chain attack is one of the most dangerous and effective infection vectors that can result in major data breaches. Recent cases of supply chain attacks include the Shadowpad and CCleaner malware. This malware targets specific weaknesses involved in a product’s life cycle; from initial development stage through to the end user.
According to a press release by Kaspersky Lab, the actors responsible for ShadowHammer targeted the ASUS Live Update Utility as the initial source of infection. This is a pre-installed utility in most new ASUS computers, for automatic BIOS, driver and, application updates.
Using stolen digital certificates used by ASUS to sign legitimate binaries, the attackers have modified older versions of ASUS software, injecting their own malicious code. Trojanised versions of the utility were signed with legitimate certificates and were hosted on and distributed from official ASUS update servers. This made the malicious software seem like official software, thus bypassing most security solutions.
Kaspersky Lab has reported that while every user of the affected software could potentially become a victim of attack, it seems that the actors behind ShadowHammer are focusing on very specific targets.
A search for similar malware has revealed software from three other vendors in not just Southeast Asia, but Asia as a whole; all backdoored with very similar methods and techniques. Kaspersky Lab has reported the issue to Asus and other vendors.
In order to avoid falling victim to a targeted attack by known or unknown threats, Kaspersky Lab researchers recommend implementing the following measures:
- In addition to adopting must-have endpoint protection, implement a corporate grade security solution which detects advanced threats on the network level at an early stage.
- For endpoint level detection, Kaspersky Lab recommends implementing EDR solutions which offers continuous monitoring and response to advanced security threats.
- Integrate Threat Intelligence feeds into your SIEM and other security controls in order to get access to the most relevant and up-to-date threat data and prepare for future attacks.
A blog summarizing the attack can be found on Securelist.