Hackers Abuse ASUS Cloud Service To Install Backdoor On Users' PCs (arstechnica.com) 20
An anonymous reader quotes a report from Ars Technica: ASUS' update mechanism has once again been abused to install malware that backdoors PCs, researchers from Eset reported earlier this week. The researchers, who continue to investigate the incident, said they believe the attacks are the result of router-level man-in-the-middle attacks that exploit insecure HTTP connections between end users and ASUS servers, along with incomplete code-signing to validate the authenticity of received files before they're executed. Plead, as the malware is known, is the work of espionage hackers Trend Micro calls the BlackTech Group, which targets government agencies and private organizations in Asia. Last year, the group used legitimate code-signing certificates stolen from router-maker D-Link to cryptographically authenticate itself as trustworthy. Before that, the BlackTech Group used spear-phishing emails and vulnerable routers to serve as command-and-control servers for its malware.
Late last month, Eset researchers noticed the BlackTech Group was using a new and unusual method to sneak Plead onto targets' computers. The backdoor arrived in a file named ASUS Webstorage Upate.exe included in an update from ASUS. An analysis showed infections were being created and executed by AsusWSPanel.exe, which is a legitimate Windows process belonging to, and digitally signed by, ASUS WebStorage. As the name suggests, ASUS WebStorage is a cloud service the computer-maker offers for storing files. Eset published its findings on Tuesday. [...] In all, Eset has counted about 20 computers receiving the malicious ASUS update, but that number includes only company customers. "The real number is probably higher if we consider targets that are not our users," Anton Cherepanov, a senior malware researcher at Eset, told Ars. Once the file is executed, it downloads an image from a different server that contains an encrypted executable file hidden inside. Once decrypted, the malicious executable gets dropped into the Windows Start Menu folder, where it's loaded each time the user logs in. In a blog post, ASUS reported a "WebStorage security incident" that reads: "ASUS Cloud first learned of an incident in late April 2019, when we were contacted by a customer with a security concern. Upon learning of the incident, ASUS Cloud took immediate action to mitigate the attack by shutting down the ASUS WebStorage update server and halting the issuance of all ASUS WebStorage update notifications, thereby effectively stopping the attack.
In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection. This will prevent similar attacks in the future. Nevertheless, ASUS Cloud strongly recommends that users of ASUS WebStorage services immediately run a complete virus scan to ensure the integrity of your personal data."
Late last month, Eset researchers noticed the BlackTech Group was using a new and unusual method to sneak Plead onto targets' computers. The backdoor arrived in a file named ASUS Webstorage Upate.exe included in an update from ASUS. An analysis showed infections were being created and executed by AsusWSPanel.exe, which is a legitimate Windows process belonging to, and digitally signed by, ASUS WebStorage. As the name suggests, ASUS WebStorage is a cloud service the computer-maker offers for storing files. Eset published its findings on Tuesday. [...] In all, Eset has counted about 20 computers receiving the malicious ASUS update, but that number includes only company customers. "The real number is probably higher if we consider targets that are not our users," Anton Cherepanov, a senior malware researcher at Eset, told Ars. Once the file is executed, it downloads an image from a different server that contains an encrypted executable file hidden inside. Once decrypted, the malicious executable gets dropped into the Windows Start Menu folder, where it's loaded each time the user logs in. In a blog post, ASUS reported a "WebStorage security incident" that reads: "ASUS Cloud first learned of an incident in late April 2019, when we were contacted by a customer with a security concern. Upon learning of the incident, ASUS Cloud took immediate action to mitigate the attack by shutting down the ASUS WebStorage update server and halting the issuance of all ASUS WebStorage update notifications, thereby effectively stopping the attack.
In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection. This will prevent similar attacks in the future. Nevertheless, ASUS Cloud strongly recommends that users of ASUS WebStorage services immediately run a complete virus scan to ensure the integrity of your personal data."
As An ASUS User (Score:3, Interesting)
As an ASUS laptop user, I couldn;t care less. I don;t and won;t use ASUS cloud anything and all ASUS crapware like automatic updaters and remote support tools were removed when the machine was new.
Unbox, wipe install from scratch.
Having said that, I have always liked ASUS equipment and love my laptop.
Re:As An ASUS User (Score:4, Insightful)
I'm sure Asus are bad, but Lenovo, HP, Dell and everyone else load a whole pile of totally useless nonsense on consumer laptops and it is without exception* rubbish.
* I'm sure people will know of the odd one or two that are useful, but nuking from orbit is really the only way to be safe.
BIOS update via HTTP?? (Score:1)
Am I reading this correctly??
That is one serious WTF!
I hope whoever decided this was a good ideas, loses his job.
Windows Update (Score:2, Informative)
Windows updates are delivered via HTTP. Block port 80 outbound and no updates EVAR.
Dell server BIOS are delivered via HTTP and FTP. Supplise mother fuckah!
You see, there's no need to use an encrypted channel to deliver updates. There's nothing special about updates that they need to be shielded from view. But, the updates should be cryptographically signed and the signature should be checked prior to installation.
Re: (Score:1)
Re: (Score:2)
Do you mean this BITS [microsoft.com]? Are you sure about BITS not related to HTTP???