Security researchers at Kaspersky Labs have uncovered what seems to be one of the biggest supply-chain incidents ever.
A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.
The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one, Kaspersky says.
According to the company's statistics, more than 57,000 users of Kaspersky Lab’s products have installed the backdoored utility, but the company estimates it was distributed to about 1 million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility.
Kaspersky says that the same techniques were used against software from three other vendors. The company have notified ASUS and other companies about the attack. Kaspersky suggests that you update the ASUS Live Update Utility if you use it.
Nick Wu, a spokesman for Asus, said the attacks impacted only several hundred devices. The company had since helped customers fix the problem, patched the vulnerability and updated their servers, Asus said in a separate statement.