Operation ShadowHammer (Mar 25, 2019)
Kaspersky Lab GReAT researchers have published a report detailing a new supply chain attack dubbed "Operation ShadowHammer." The attack targeted the "ASUS" computer hardware company's "ASUS Live Update" software to distribute malware to thousands of machines. Kaspersky found approximately 57,000 instances of its customers had unwittingly downloaded a backdoor onto their machines via a compromised version of ASUS Live Update. The number of infected machines is likely far higher because Kaspersky only has visibility on users who are using their software. Threat actors were able to compromise an ASUS server responsible for distributing updates some time between June and November 2018. The objective of this attack "was to surgically target an unknown pool of users, which were identified by their network adapters' MAC address. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation." The campaign was not discovered until January 2019 and the largest number of users infected with the malicious update appear to be located in Russia, followed by Germany, France, Italy, and the United States. Researchers believe that this operation may have been conducted by the APT group "BARIUM" due to a previous supply chain attack that distributed a backdoor.
Recommendation: Sophisticated threat actors are willing to go to great lengths to abuse trust relationships in supply chain attacks. Defending against APT threats requires an equally advanced and persistent strategy. Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.