[ad_1]
The ASUS update mechanism was once again used to install malware on personal computers, reported Eset researchers earlier this week. The investigators, who continue to investigate the incident, said they believed the attacks were the result of "man-in-the-middle" attacks at the router that exploit unsecured HTTP connections between end-users and ASUS servers, as well as an incomplete code signature to validate. the authenticity of the files received before their execution.
The malware talks about malware. This is the work of hackers espionage that Trend Micro calls the BlackTech group, which targets government agencies and private organizations in Asia. Last year, the group used legitimate code signing certificates stolen from D-Link, the router's manufacturer, to authenticate itself cryptographically as trustworthy. Previously, the BlackTech group used phishing emails and vulnerable routers to serve as command and control servers for malware.
At the end of last month, Eset researchers noticed that the BlackTech group was using a new and unusual method to stealthily install Plead on target computers. The backdoor has arrived in a file named ASUS Webstorage Upate.exe included in an update of ASUS. An analysis showed that infections were created and performed by AsusWSPanel.exe, legitimate Windows process owned and digitally signed by ASUS WebStorage. As the name suggests, ASUS WebStorage is a cloud service offered by the computer manufacturer for file storage.
The abuse of legitimate AsusWSPanel.exe discussed the possibility that the computer manufacturer may have fallen into another supply chain attack that was diverting its update process to install backdoors on end users' computers. Finally, Eset researchers dismissed this theory for three reasons:
-
- The same suspected update mechanism also delivered legitimate ASUS WebStorage binaries.
- There was no evidence that ASUS WebStorage servers were used as control servers or served malicious binary files.
- Attackers used standalone malware files instead of embedding their malicious products into ASUS 'legitimate software.
When looking at different scenarios, the researchers found that the ASUS WebStorage software was exposed to "man-in-the-middle" attacks, during which hackers controlling a connection altered the data that passed through it. The researchers made this decision because the updates are requested and transferred using unencrypted HTTP connections, rather than HTTPS connections immune to such exploits. The researchers also noted that the ASUS software had not validated its authenticity before its execution. This allowed the BlackTech group to intercept the ASUS update process and use it to send the Plead folder instead of the legitimate ASUS file.
The researchers also found that most organizations that received the ASUS WebStorage Plead file used routers of the same manufacturer. The routers, which Eset refused to identify while still investigating the case, have administrator panels accessible over the Internet. This left open the possibility that a MitM attack could be caused by malicious DNS settings on routers or by something more complex, such as forgery of iptables.
Eset's theory of work then shifted from the BlackTech group that was breaking the ASUS network and committing a supply chain attack to attackers running a MitM attack on ASUS 'unsecured update mechanism. Indeed, as shown below in a screen capture of a communication captured during a malicious software update from ASUS WebStorage, attackers have replaced the current one. legitimate ASUS URL through a URL from a Taiwanese government compromised website.
Anton Cherepanov, head of malware research at Eset, said in an email that the captured communication was not proof of a MitM.
"It is possible that attackers accessed ASUS WebStorage servers and pushed XML with a malicious link only to a small number of computers," he wrote. That's why we say it's always possible. We can not ignore this theory. "
But for the reasons listed above, he believes the MitM scenario is more likely.
In total, Eset has counted about 20 computers receiving the malicious ASUS update, but this number includes only the company's customers. "The actual number is probably higher if we consider targets that are not our users," said Anton Cherepanov, senior malware researcher at Eset in Ars.
Once the file is run, it downloads an image of a different server containing an encrypted executable file hidden inside. Once decrypted, the malicious executable is dropped into the Windows Start menu folder, where it is loaded whenever the user logs on.
It is surprising that even after the serious supply chain attack that would have infected up to 1 million users, the company was still using unencrypted HTTP connections to provide updates. Ars sent ASUS media representatives two messages requesting comments for this article. Until now, they have not responded yet. In a blog post sent via an unencrypted HTTP connection, ASUS reported a "WebStorage security incident" that reads as follows:
ASUS Cloud became aware of an incident at the end of April 2019, when one of our customers contacted us for security reasons. After learning of the incident, ASUS Cloud immediately took steps to limit the attack by stopping the ASUS WebStorage update server and stopping the issuance of all ASUS update notifications. WebStorage, thus ending the attack.
In response to this attack, ASUS Cloud has reviewed the host architecture of the update server and has put in place security measures to strengthen data protection. This will prevent similar attacks in the future. However, ASUS Cloud strongly recommends that users of ASUS WebStorage services perform an immediate full virus scan to ensure the integrity of your personal data.
The post office does not say what these security measures are. In addition, Eset did not mention that the service had been used to install malware. Until independent security experts say that the site can be used safely, people would do well to avoid it.
[ad_2]
Source link