Juha Saarinen: When computer updates turn into Russian roulette

Taiwanese company ASUS was hit by malware through a computer update. Photo / Getty Images

COMMENT:

Once again, users around the world have learned the hard way that you really can't trust anyone, after Taiwanese computer giant ASUS literally updated their computers with malware.

Given the cool-sounding but nonsensical name ShadowHammer, the attack seems to have started around May last year.

It was discovered in January by security vendor Kaspersky, who told Motherboard about the threat affecting ASUS and three unnamed other companies.

More than a million computers were infected with the malware that came from a compromised ASUS update server.

Somehow, the attackers had got hold of two ASUS digital certificates that vouched for the authenticity of the update that allowed the malware to be installed.

The attack was very specific and targeted only 600 machines using a list of interface addresses that are hardcoded into network adapters in computers.

Everyone with the malware on their ASUS computers potentially has a backdoor installed that attackers can use to access their data.

More details on the ShadowHammer attack will be published later but Kaspersky thinks the modus operandi is similar to that employed in the CCleaner information stealer campaign two years ago.

In that attack, two million users' computers were infected by malware that was distributed via a compromised software update. The malware targeted specific companies to steal information from their computers.

Ironically, CCleaner was purchased by security and anti-virus vendor Avast prior to the attack.

Computer users have long known that one or more dodgy updates can cause a malfunction or even brick their gear. That's bad enough, but supply chain attacks that distribute malware really are a nightmare scenario because we've had it hammered into us to apply updates when they're available.

And vendors have pushed users to allow this to happen automatically.

That's how shipping giant Maersk got hit with the NotPetya ransomware and lost hundreds of millions of dollars because of the attack.

The Stuxnet malware that sabotaged Iran's uranium enrichment plant was likewise distributed through official update channels.

ASUS's appears to have handled the issue remarkably badly, first denying to Kaspersky that the attack had happened, and then asking the security vendor to sign a non-disclosure agreement.

This is a really serious problem and ASUS should have pulled out all the stops immediately to deal with it.

Supply chain attacks put even tech-savvy people in a difficult position — do you allow the update and maybe get malware? Or do you hold off and run a system that might not be secure and allow attackers to exploit vulnerabilities on it?

That's difficult to weigh up. Security experts say you should still apply updates but ASUS users will especially feel like unwitting participants in a game of Russian roulette from now on.