“They were not trying to target as many users as possible,” said Kamluk. “They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting.”

BlackZero:

Espionage, I hear. 😱 😛:D

BetA:

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers source: https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

HeavyHemi:

How would that help you when the issue came from ASUS or the maker? The analog would be if your NIC driver or motherboard drivers were infected when you naturally update those from doing a base OS install. Or do you just run with the basic generic drivers?

ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups 2019/03/26 ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers. ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed. ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future. Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip Users who have any additional concerns are welcome to contact ASUS Customer Service. More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html How do I know whether or not my device has been targeted by the malware attack? Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance. What should I do if my device is affected? Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords. How do I make sure that I have the latest version of ASUS Live Update? You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below: https://www.asus.com/support/FAQ/1018727/ Have other ASUS devices been affected by the malware attack? No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.

gdmaclew:

The only problem with the DIAGNOSIS TOOL is that even if you have an ASUS motherboard it gives you an error message - "only for ASUS machine!" The exclamation point it theirs not mine.

Asus was warned of hacking risks months ago, thanks to leaky passwords A security researcher warned Asus two months ago that employees were improperly publishing passwords in their GitHub repositories that could be used to access the company’s corporate network. One password, found in an employee repo on the code sharing, allowed the researcher to access an email account used by internal developers and engineers to share nightly builds of apps, drivers and tools to computer owners. The repo in question was owned by an Asus engineer who left the email account’s passwords publicly exposed for at least a year. The repo has since been wiped clean, though the GitHub account still exists. “It was a daily release mailbox where automated builds were sent,” said the researcher, who goes by the online handle SchizoDuckie, in a message to TechCrunch. Emails in the mailbox contained the exact internal network path where drivers and files were stored. The researcher shared several screenshots to validate his findings. The researcher didn’t test how far the account access could have given him, but warned it could have been easy to pivot onto the network. “All you’d need is send one of those emails with an attachment to any of the recipients for a real nice spearphishing attack,” he said. The researcher’s findings would not have stopped the hackers who targeted Asus’ software update tool with a backdoor, revealed this week, but reveals a glaring security lapse that could have put the company at risk from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app. The app was signed with an Asus-issued certificate and hosted on the company’s download servers. More than a million users were pushed the backdoored code, researchers have estimated. Asus confirmed the attack in a statement and released a patched version. Through the company’s dedicated security email, the researcher warned Asus of the exposed credentials. Six days later, he could no longer log in to the mailbox and assumed the matter was resolved. But he found at least two other cases of Asus engineers exposing company passwords on their GitHub pages. One Asus software architect based in Taiwan — where the company has its headquarters — left a username and password in code on his GitHub page. Another Taiwan-based data engineer also had credentials in his code. “Companies have no clue what their programmers do with their code on GitHub,” said the researcher. A day after we alerted Asus to the researcher’s email, the repos containing the credentials were pulled offline and wiped clean. Yet when reached, Asus spokesperson Randall Grilli told TechCrunch that the computer maker was “unable to verify the validity” of the claims in the researcher’s emails. “Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks,” he added. Granted, this isn’t an issue limited to Asus. Other companies have been put at risk by exposed and leaked credentials or hardcoded secret keys. Last week, academics found more than 100,000 public repos storing cryptographic keys and other secrets. Among the most famous examples of exposed credentials was Uber, in which an engineer mistakenly left cloud keys in a GitHub repository, which when discovered and exploited by hackers was used to pilfer data on 57 million users. Uber was later ordered to pay $148 million in a data breach settlement. But given Asus knew of the issues months ago amid a backdoor threat that affected more than a million users, you would have hoped for a better, more active response.