This week features a report of a new and more sophisticated backdoor supply chain malware attack emanating from an unsuspecting global computer manufacturer. This malware is described as very sophisticated in targeting of certain computers.

Incorporated within our 2019 Predictions for Industry and Global Supply Chains is a belief that Cyber-risk and information security safeguarding are now mandatory since the threat of such attacks emanating within either B2B supply and customer support networks seems inevitable. This week, there are confirmed reports of yet another different form of such risk, namely, backdoor malware populated within established supply chain and customer service processes.  Information Technology

Multiple web sites including Motherboard and ZD-NET are reporting that researchers from cybersecurity provider Kaspersky Labs have indicated that one of the world’s largest computer manufacturers was unwittingly used as a software distribution conduit for a described malicious backdoor after attackers compromised one of the servers for the company’s live software update tool.

Taiwan based ASUS is a manufacturer of desktop and laptop computers, mobile smartphones and other consumer electronics. The malware, which is now coined Operation ShadowHammer, leverages the computer maker’s Live Update Utility which comes pre-installed on the majority of this company’s computers. The malware file is signed with the computer maker’s legitimate digital certificate to appear as authentic software, according to Kaspersky.  It is being characterized as a; “very sophisticated attack’ which surpasses past backdoor attacks of this kind.

ASUS itself is denying that its servers were compromised, and that the malware came from its software support update network.

The attack was first recognized in January, but it is believed that the campaign took place in 2018 and has potentially compromised a large number of computers. The cyber security firm noted that the attack remained undetected for so long because the software was signed with a legitimate certificates and ASUS computer update domains. Kaspersky identified the attack after adding a new supply-chain detection technology to its scanning software to identify malicious code fragments hidden in legitimate code. Since the finding, security firm Symantec has confirmed the findings of such malware emanating from ASUS updates.

According to these reports, researches are estimating that upwards of one million Windows machines may have received the malicious code although the attackers appear to have been targeting a far lower number of specific systems via their MAC addresses.

The Motherboard report notes that two different, but similar attacks were discovered in 2017 that had the same tendencies for compromising trusted software updates. One of those was the well noted notPetya attack that began in the Ukraine and subsequently infected other computers subject to an update to an accounting software package. That attack cascaded across Europe and nearly crippled the operations of ocean container shipping leader Maersk Lines, and other business entities such as TNT Express.

This latest identified incident seems different in targeted stealth methods and the methodology appear to be far more sophisticated.

Thus, supply chain management and their associated IT support teams need to be cognizant that computer viruses and malware can emanate from other supply chains in the form of embedded software updates which can penetrate existing networks or target specific companies for certain sensitive information.  This latest incident is yet further evidence of the increased sophistication of bad actors.


© Copyright 2019, The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.