Users of ASUS computers have become the latest victims in a unique and highly-targeted supply chain attack dubbed “Operation ShadowHammer”. The attack was propagated to perhaps as many as 1 million ASUS users, but it seems the threat actors behind the malware were only interested in several hundred specific targets. In this post, we explain what ShadowHammer is and what it means for the enterprise.
ShadowHammer – A Timeline
According to Kaspersky researchers, ASUS update servers were compromised by hackers at least as early as June 2018, and possibly even earlier. One theory is that the initial compromise of the company’s servers may have occurred through the earlier CCleaner supply chain attack in which ASUS was a known target.
Regardless of how the hackers gained access to the servers, once in they were able to use a valid ASUS signing certificate to deliver a poisoned update to the ASUS Live Update utility itself, a tool that comes pre-installed on the majority of ASUS computers. Since the update appeared to be both correctly signed and a normal part of the machine’s operation, it escaped detection by both users and most AV solutions, which typically whitelist components from trusted vendors that are correctly signed. Although the campaign appears to have been terminated by the attackers in November 2018, possibly indicating they had achieved their aims, it remained undiscovered until January 2019.
ShadowHammer Targets Users by MAC Address
One of the things that makes ShadowHammer so unique is the fact that it uses a mass-infection vector to compromise a select number of targets. By one estimate, up to 1 million ASUS users may have downloaded the malware. Yet, incredibly, analysis suggests that the real targets may have numbered only a few dozen at a time, and perhaps no more than 600 throughout the life of the entire campaign.
In order to achieve this selectivity, the malware computes an MD5 hash of the infected machine’s MAC address. It then compares that against a table of hashes hardcoded into the malware. If there’s a match, the code begins the second stage of the attack by downloading further malware from the attacker’s C2 server. If there isn’t a match – the overwhelming majority of the cases – the malware remains dormant.
While this is certainly good news for the unintended victims of the hack, it remains the case that all infected machines have effectively been “backdoored”; therefore, all ASUS users are recommended to check for the malware and remove it.
How To Check If You Are Infected By ShadowHammer
The first thing to remember is that ShadowHammer is limited to ASUS machines and is not a general piece of malware that affects other devices, so if you’re not using an ASUS computer, you are not infected.
SentinelOne customers are automatically protected from ShadowHammer malware. As the demo below shows, SentinelOne recognizes and prevents ShadowHammer. This is not a new capability, nor does it require an update. Our behavioral AI engine was able to detect and block ShadowHammer even before it became publicly known.
For those who are not SentinelOne customers, a number of tools have already been made available, including one from ASUS themselves.
Conclusion
ShadowHammer is audacious in that the hackers behind it were unconcerned about potentially infecting every ASUS user in order to achieve a very limited objective. At the same time, they appear to have succeded in pulling off a mass infection without being detected during the life of their campaign. It’s no surprise that threat actors have no qualms about “collateral damage” – infecting any computer that happens to be in their way – but ShadowHammer is an alarming escalation compared to anything seen before. Given the success of campaigns like this and the CCleaner attack before it, there is no doubt that supply chain attacks will continue to be leveraged by both criminal gangs and nation-state actors as many vendors do not take adequate security precautions.
For enterprise, ShadowHammer is a timely reminder that security solutions which rely on reputation and whitelisting will always have a “blindspot” to supply chain attacks. Given the mammoth task of auditing and securing all 3rd-party software and dependencies, the only effective enterprise solution is to use security software like SentinelOne Next Gen AV that autonomously detects any process that is behaving maliciously in real time, rather than simply looking at where a process comes from or who it is signed by.