News Insights: ShadowHammer: Malicious updates for ASUS laptops

News Insights:

Colin Little, Senior Threat Analyst, Centripetal Networks

“The ASUS backdoor exposes a trusted-vendor’s channel compromise distribution vector, which has historically caused damage world-wide. For example, the NotPetya cyber weapon, which was unleashed on the Ukraine in 2017, used the same distribution vector from a popular accounting software provider (ref https://www.bleepingcomputer.com/news/security/surprise-notpetya-is-a-cyber-weapon-its-not-ransomware/). 

“When we consider this history, we plainly see the need for validation of trusted-vendor channels in addition to digital signatures (which, in this case, appears to have further concealed the malicious activity by providing a false sense of integrity) – not just for software and platform updates, but any “trusted” vendor network which has access into our environment requires validation above and beyond what the current offerings are. The world is lucky there was not a cyber weapon involved in the ASUS backdoor, such as with the NotPetya example. 

“While many organizations debate whether to block or not due to interruption of the business process, it should be best practice to block. Removing the block is not difficult and can be accomplished quickly, better to be safe than have the network and data compromised which would be more of a consequence than blocking.”

Mike Jordan, CISSP, CRISC, CTPRP, Senior Director, The Shared Assessments Program:  

“Supply chain cybersecurity threats from software update mechanisms can be particularly devastating. This is a very similar method that the NotPetya malware used to cause over a billion dollars in costs and counting by hacking a third party’s software. It’s becoming increasingly important that companies add reviews of their third party software vendors’ software update mechanisms as part of their due diligence procedures.

“Our members are discussing how to best address these threats in our working groups, especially as they pertain to Operational Technology (OT) risks to the plant floors of manufacturing, utility, and energy companies. We’ve found that the best way to address these kinds of third party risks is by working together with all parties, including the purchasers, the vendors, and the service providers that service and secure them. By working together on a common language and expected practices, organizations can efficiently and effectively manage these multi-faceted risks.”