Asus has responded to claims that a compromised version of its Live Update tool has infected thousands of devices, stressing that the attack was targeted and that only a ‘small number’ of customers using Asus laptops were affected.
Despite this, the company is urging all customers to update to the latest version of Live Update Utility and says it’s already been talking with some affected customers.
Asus also says its taken steps to ensure that the attack vector, which saw a fake version of Live Update Utility installed on its servers before being sent out to customers won’t happen again.
Shadow Hammer – how to find out if you’ve been affected
If you think you’ve been affected, then you should download the diagnostic tool Asus released here. This is a zip file – ASDT_v220.127.116.11 – containing a single 215 KB application. Running this will tell you if your device has been affected or not.
Kaspersky, who reported the attack to Asus in January, has released a diagnostic tool of its own, which you can download here, if you’d like a second opinion. It’s another small file (74KB) and can be found towards the foot of the article. Simply copy ‘Download an archive with the tool (.exe)’, hit Ctrl+F and paste that into the text box.
Whether you’ve been affected or not, if you use Live Update, you should upgrade to V3.6.8 (or higher), which you can download from Asus here.
Shadow Hammer – who is behind the attack?
Asus hasn’t commented publicly on who it might think is responsible, but has hinted that there may be political motivations behind the attack. The company has released the following statement:
“Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers.
“ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
“ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.”
Kaspersky says it has reason to believe that this attack is linked to the people behind the ShadowPad attack – aka the 2017 CCleaner hack – who have been collectively referred to in a Microsoft court document as ‘Barium’. The security company also says that most of the affected customers it’s been able to identify are based in Russia – though this may have as much to do with the popularity of Kaspersky’s wares there than anything else.
Symantec, which sells Norton anti-virus software that’s popular in the United States, said yesterday that 13,000 of its customers had fallen afoul of the same trojanised update, so the scope is likely wider than what Kaspersky’s figures indicate.
Kaspersky says that at least 57,000 users installed the compromised software, but estimates that the full reach of the malware is greater, closer to a million.
Have you been affected by ShadowHammer or ShadowPad? Let us know on Twitter @TrustedReviews.