Software Updates: Gateway for Supply Chain Attacks

The confirmation by Taiwan-based tech giant ASUS that its software update was hijacked by cybercriminals to install malicious software (malware) on its customers’ notebook computers highlights the threat of supply chain attacks via software updates.

A supply chain attack attempts to exploit the security vulnerability in a third-party service or software to compromise a final target. Hijacked software update is one of the most common forms of supply chain attack.

Last March 26, ASUS, ranked by Gartner as the world’s 5th-largest PC vendor in the 3rd quarter of 2018, asked its notebook computer customers to install the latest software update (version 3.6.8) after acknowledging that ASUS Live Update, a pre-installed software in ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS, was implanted with malicious code through a sophisticated attack on its Live Update servers.

Asus said that Live Update version 3.6.8 introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates to prevent similar attacks from happening in the future. The company said the attack only targeted “a very small and specific user group”.

Kaspersky Lab, the company that reported to ASUS way back in January 2019 about the malware being distributed via ASUS’ legitimate updates, said that the extent of those affected by the attack may have “affected a large number of users.” Kaspersky Lab said that way back on January 31, 2019, it reported to ASUS that between June 2018 to November 2018, over 57,000 Kaspersky users, mostly from Russia, Germany and France, downloaded and installed the malicious version of ASUS Live Update.

Kaspersky Lab said that while it couldn’t calculate the total count of affected users based only on its data, the estimated real scale of the problem could be “much bigger and is possibly affecting over a million users worldwide.”

Symantec, for its part, said that at least 13,000 computers of Symantec customers, mostly from the U.S., Australia and Italy, received the malicious version of ASUS Live Update. The distribution of the malicious ASUS updates, Symantec said, started in June 2018 and continued through to at least late October 2018. Symantec added that this supply chain attack may have “affected up to half a million systems.”

According to Kaspersky Lab and Symantec, ASUS notebook computer users were tricked in downloading the malicious updates as these updates were signed with legitimate ASUS digital certificates. The idea, meanwhile, that the attack, as mentioned by ASUS targeted only a “very small and specific user group” springs from the fact that the attackers hardcoded in the malicious ASUS updates a list of limited number of MAC addresses, a hardware identification number that uniquely identifies each device. These specific MAC addresses are believed to be the intended targets of the ASUS supply chain attack.

What happens to ASUS notebook computers not included in the list and yet have downloaded and installed the malicious updates between the period June 2018 to November 2018? In this case, the malware downloaded via the malicious updates stays silent or does nothing. Having a malware inside your computer is still a risk as any day this malware could be activated by malicious actors.

Other Incidents of Supply Chain Attacks via Software Updates

The cyber incident at CCleaneris another example of a supply chain attack that takes advantage of a hijacked software update. Avast, which acquired Piriform, the maker of CCleaner, confirmed that 2.27 million CCleaner users downloaded and installed the malicious CCleaner update which was released on August 15, 2017 and went undetected by any security company for four weeks, highlighting the sophistication of the attack.

The NotPetya attack is another example of a supply chain attack that exploits a legitimate software update. Microsoftreported that on June 27, 2017 it first observed the NotPetya attack in Ukraine, where more than 12,500 computers were infected by the malware, a malicious software that denies computer users access to their computer files.

On the same day, Microsoft observed that the NotPetya infection spread to another 64 countries, including Belgium, Brazil, Germany, Russia and the U.S. Microsoft traced the origin of the NotPetya attack to the software update of M.E.Doc, a popular tax accounting software in Ukraine. 

Cybersecurity Best Practices

Here are some cybersecurity best practices in order to mitigate the effects of supply chain attacks via software updates:

1. Back-up Critical Files

Have back-ups of your organization’s critical files in case some unfortunate cyber incident happens.

2. Restore Operating System to Factory Setting

To completely remove the malware implanted via ASUS updates, ASUS advises users to restore their operating systems to factory setting. Restoring your operating system to factory setting only restores pre-installed software, discarding the malware that your computer accumulated through time. This complete factory reset, however, also completely removes files accumulated through time, as such, it’s important to run regular a backup of computer files.

3. Regularly Update Passwords & Use Multi-Factor Authentication

As a precautionary measure, regularly update passwords and use multi-factor authentication.

When you need help addressing IT issues, our experts will always help you and will respond within 30-minutes, guaranteed. Contact ustoday and run your business worry-free.

Leave a Reply

Your email address will not be published. Required fields are marked *