This post is also available in: Deutsch (German)
Asus has another security breach to contend with after ShadowHammer. An update service enabled hackers to distribute malware without restriction.
Another security problem at Asus
Hardware manufacturer Asus is once again struggling with a security problem of unprecedented proportions. The security company ESET has discovered a vulnerability in the cloud storage service WebStorage that allowed attackers to distribute malware and trojans unhindered on customer computers. Asus has already drawn the first conclusions and taken said cloud storage service servers offline to close the vulnerability. The attackers are said to be the BlackTec Group hacker group. However, the hackers did not directly take control of servers and updates.
Man in the Middle Attack manipulated updates
While in the last attack called ShadowHammer, which infected over a million computers, the updates came directly from Asus servers, this time the hackers acted differently. Thus, the company has not sufficiently secured its own servers against man in the middle attacks. So there is no signature verification and no encrypted connection. The hackers succeeded in intercepting the updates requested from the Asus servers by an update service in an infected company network and exchanging them for their own file. This file was then executed by the signed update service AsusWSPanel.exe. The manipulated file finally contained a backdoor through which the attackers could download a trojan from a hijacked server of a Taiwanese government website and get it installed by the update service.
Problem fixed according to Asus, further attacks could follow
According to Asus, the problem has already been solved. According to ESET, this attack infected about 20 computers within the mentioned company network. Whether other systems are affected is unknown. The gap, however, shows that Asus apparently did not really secure some of its software components. It is therefore possible that further such attacks could follow in the future. In this case, the hackers are probably targeting company data, but such backdoors can also enable large-scale botnets and thus, for example, DDoS attacks.