classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2018


New supply chain attack
April 2019, Cyber Security

Kaspersky Lab has uncovered a new advanced persistent threat (APT) campaign that has affected a large number of users through what is known as a supply chain attack. Researchers found that threat actors behind Operation ShadowHammer have targeted users of the ASUS Live Update Utility, by injecting a backdoor into it at least between June and November 2018. Kaspersky Lab experts estimate that the attack may have affected more than a million users worldwide.

A supply chain attack is one of the most dangerous and effective infection vectors, increasingly exploited in advanced operations over the last few years – as we have seen with ShadowPad or CCleaner. It targets specific weaknesses in the interconnected systems of human, organisational, material, and intellectual resources involved in the product life cycle: from initial development stage through to the end user. While a vendor’s infrastructure can be secure, there could be vulnerabilities in its providers’ facilities that would sabotage the supply chain, leading to a data breach.

The actors behind ShadowHammer targeted the ASUS Live Update Utility as the initial source of infection. This is a pre-installed utility in most new ASUS computers for automatic BIOS, UEFI, drivers and applications updates. Using stolen digital certificates used by ASUS to sign legitimate binaries, the attackers have tampered older versions of ASUS software, injecting their own malicious code. Trojanised versions of the utility were signed with legitimate certificates and were hosted on and distributed from official ASUS update servers – which made them mostly invisible to the vast majority of protection solutions.

While this means that potentially every user of the affected software could have become a victim. The actors behind ShadowHammer were focused on gaining access to several hundreds of users, which they had prior knowledge about. As Kaspersky Lab’s researchers discovered, each backdoor code contained a table of hardcoded MAC addresses – the unique identifier of network adapters used to connect a computer to a network. Once running on a victim’s device, the backdoor verified its MAC address against this table.

If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity, which is why it remained undiscovered for such a long time. In total, security experts were able to identify more than 600 MAC addresses. These were targeted by over 230 unique backdoored samples with different shellcodes.

The modular approach and extra precautions taken when executing code, to prevent accidental code or data leakage indicates that it was very important for the actors behind this sophisticated attack to remain undetected, while hitting some very specific targets with surgical precision. Deep technical analysis shows that the arsenal of the attackers is very advanced and reflects a very high level of development within the group.

The search for similar malware has revealed software from three other vendors in Asia, all backdoored with very similar methods and techniques. Kaspersky Lab has reported the issue to Asus and other vendors.

“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base. It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack. However, techniques used to achieve unauthorised code execution, as well as other discovered artefacts suggest that ShadowHammer is probably related to the BARIUM APT, which was previously linked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of how sophisticated and dangerous a smart supply chain attack can be nowadays,” said Vitaly Kamluk, director of global research and analysis team, APAC, at Kaspersky Lab.

All Kaspersky Lab products successfully detect and block the malware used in Operation ShadowHammer.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend implementing the following measures:

In addition to adopting must-have endpoint protection, implement a corporate grade security solution which detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform;

• For endpoint level detection, investigation and timely remediation of incidents, we recommend implementing EDR solutions such as Kaspersky Endpoint Detection and Response or contacting a professional incident response team;

• Integrate threat intelligence feeds into your SIEM and other security controls in order to get access to the most relevant and up-to-date threat data and prepare for future attacks.

Kaspersky Lab will present full findings on Operation ShadowHammer at Security Analyst Summit 2019, in Singapore, 9-11 April. A full report on the ShadowHammer campaign is already available to customers of Kaspersky Intelligence Reporting Service.

A blog summarising the attack as well as a special tool designed to validate whether users’ devices were a target can also be found on Securelist. The validation is also available on a separate website.


Credit(s)
  Share via Twitter   Share via LinkedIn      

Further reading:

  • When cybercrime affects health and safety
    April 2019, This Week's Editor's Pick, Cyber Security
    The threat of a category-one cyber-attack is that everything could seem right – the readings on the meter could be fine, checklists would be followed, and equipment would work – yet danger could still unfold.
  • New service to fight cybersecurity threats to African banks
    April 2019, Cyber Security
    Foregenix is launching a service to combat the new and growing breed of cyber-attacks on African banks.
  • Cyber/physical perils in hospitality
    April 2019, Wolfpack Information Risk, This Week's Editor's Pick, Cyber Security, Entertainment and Hospitality (Industry)
    How can we prepare for our holidays and avoid becoming the victim of a scam or data breach?
  • Cloud and mobile deployments are the weakest links
    April 2019, Check Point South Africa, Cyber Security
    Report highlights the cloud and mobile attack vectors used to target enterprises: nearly one in five organisations experienced a cloud security incident in the past year.
  • Rethink security priorities
    April 2019, News, Cyber Security
    Cryptocurrency mining is up 237%, phishing attacks increase by 269%, business email compromise attacks have gone up by 28%.
  • Overcoming the 2019 cyberthreat
    April 2019, IT infrastructure, Cyber Security
    The flexibility of remote working is good, however, the wider a network perimeter has to stretch, the more scope exists for security breaches.
  • Halt, who goes there?
    March 2019, Technews Publishing, Wolfpack Information Risk, This Week's Editor's Pick, Cyber Security
    As long as organisations treat their physical and cyber domains as separate, there is little hope of securing either one.
  • IoT is convergence in action
    March 2019, Gijima Electronic and Security Systems (GESS), NEC XON, Technews Publishing, Axiz, G4S South Africa, This Week's Editor's Pick, Cyber Security, Integrated Solutions, IT infrastructure
    The Internet of Things gains more than enough attention these days, but the IoT demonstrates the reality of the convergence between the physical and cyber worlds, and physical security is part of it.
  • Stop hacking of access control ­systems
    March 2019, This Week's Editor's Pick, Access Control & Identity Management, Cyber Security
    Think someone hacking your access control system not a big deal? Scott Lindley suggests that you think again.
  • New cybersecurity pavilion for Securex 2019
    March 2019, Securex South Africa , This Week's Editor's Pick, Cyber Security, News, Conferences & Events, Training & Education
    Securex South Africa 2019 has announced that 4Sight Technologies, a subsidiary of an international holdings company focusing on investing in Industry 4.0 companies, has signed on as the official sponsor ...
  • Security by design
    March 2019, Johnson Controls, Cyber Security, Integrated Solutions
    The security of the platforms on which physical security products are built will increasingly impact purchase decisions and market positions.
  • A logical solution for cyber solutions
    March 2019, Suprema, Cyber Security, Access Control & Identity Management, Products
    BioMini Slim 2 is a thin, FBI PIV and FBI Mobile ID certified FAP20 optical scanner with a large platen for easy capturing of fingerprints.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.