Asus finally issued a statement today (March 26) regarding the hacking of its own firmware-update servers, more than 24 hours after Vice Motherboard and Kaspersky Lab publicly disclosed the issue and nearly two months after Kaspersky Lab notified Asus that its servers had been hacked.
Credit: Roman Arbuzov/Shutterstock
"A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group," a company statement said. "Asus customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed."
At least 70,000 Asus devices have been infected with the corrupted Asus firmware, as documented by Kaspersky Lab and Symantec, which got the numbers from PCs running those companies' own antivirus software. Kaspersky Lab researchers estimate a million Asus computers worldwide may have been infected, which is arguably not a small number.
Asus said in its press release that it has taken steps to beef up its update-process security, but it made no mention of how the attackers -- thought to be a Chinese-speaking hacker crew with ties to the Chinese government -- managed to break into Asus' servers and steal Asus digital signing certificates that validated the malware as legitimate.
"Asus has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism," the press statement said. "At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."
Between June and November 2018, the malware was delivered to Asus computers worldwide directly from Asus' own firmware-update services. The malware creates a "backdoor" that lets more malware be downloaded and installed without user authorization.
However, the malware lies dormant on almost all systems, activating only on specifically targeted individual PCs whose MAC addresses -- unique identifiers for each network port -- match those on hardcoded lists built right into the malware.
Kaspersky researchers identified about 600 MAC addresses on the hit lists, which is indeed a "small user group." But the specifics are still unclear, as we don't know who exactly the malware targets, or how the attackers got into Asus's update servers.
Asus also released a "security diagnostic tool to check for affected systems" that can be downloaded at https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v220.127.116.11.zip (opens in new tab).
That complements a Kaspersky Lab tool that checks for the presence of the malware, and a Kaspersky Lab webpage (opens in new tab) where you can check to see whether any of your Asus PC's network MAC addresses are on the malware's hit list.
Kaspersky researchers said they notified Asus of the issue on Jan. 31, but told Motherboard's Kim Zetter that Asus initially denied that its servers had been hacked.