Earlier this week cybersecurity company Kaspersky wrote a blog post about its discovery of a new supply-chain attack, on laptop maker Asus. The attack, Kaspersky said, modified an Asus update, added a backdoor into it, and then distributed the (potentially harmful) update to users through legitimate Asus channels.
It’s a particularly brutal attack for a number of reasons. It affects a lot of people – the update was distributed to around a million people, according to Kaspersky’s calculations. It came in the form of an update, which, of course, is especially tricksy given that a lot of cybersecurity advice often boils down to, “do your updates”.
And it came through ostensibly legitimate channels. “The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time,” the blog post says. “The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.”
That combination has spooked cybersecurity commentators. Matt Blaze wrote on Twitter: “Oh man the ASUS thing. This is the worst kind of supply chain attack. It threatens to poison faith in the integrity of update mechanisms that have become essential for security today.”
But despite that, he said, users are still better off – far better off – keeping things updated. His explanation for that is that “everything ships with vulnerabilities. They get discovered (and exploited) over time. If you patch, there’s a small chance you’ll fall prey to a malicious update injected through the vendor. But if you don’t patch, there’s a close to 100% chance you’ll be attacked over time”.
Clearly, that’s good advice. But it is easy to see why people now have concerns about updates. One piece of solace they can take is that the attackers were not interested in all 1 million affected users; “they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility”, the Kaspersky report said.
And though Kaspersky said that it has found more vendors – three others – affected by similar attacks, it also said that its software now detects and blocks the updates and that it has spoken to Asus and the other vendors.
We’ve written here before about supply chain attacks and the menace that they represent. Cybersecurity is, in large part, about warring factions trying to stay one step ahead of each other. The job of the defenders is, of course, more difficult, because they have to be successful every time to have done their job, whereas the attackers only have to succeed once.
And there are cases – which obviously is where the fear of a zero day attack comes from – where the defenders are caught completely on the bounce. Sometimes, the attackers are truly so far ahead that manufacturers and companies have to enter crisis mode. There were undoubtedly some difficult conversations at the Asus headquarters this week, given the nature of the attack – it would have been very difficult to prevent given its sneaky nature.
Other, similar attacks have caused trouble too. Kaspersky says the recent Asus attack was bigger, but it also drew attention to the NetSarang attack, in which server management software owned by that company was trojanised by criminals and distributed in much the same way as the Asus incident.
But arguably the biggest ever – and something which we have discussed here before, too – was Bloomberg’s investigation into Supermicro, in which the publication said that Supermicro’s server motherboards contained a tiny chip that was not supposed to be there – effectively a hardware hack, embedded deep in the supply chain.
That report was highly controversial and very strongly refuted by the companies involved and implicated but it demonstrated an important point – the global technology supply chain is vulnerable and given its importance, incredibly dangerous if compromised. Once again, we see that tech companies of all kinds have become totally integral to our modern world.