Political Parties, Risk and Degrees of Attacks
This week saw reports that devices running ASUS’ “Live Update” tool may have had malware delivered to them instead of updates. In this briefing, we will take a look at the lax security practices often found at even large organizations, at why supply chain attacks are virtually impossible for end-users to prevent, and at why blaming breaches on Advanced Persistent Threats (APTs) is at best, a shaky defense.
Through so far unknown means, attackers were able to place malicious files onto ASUS’ update servers at some point before June 2018. The malicious files were then downloaded and executed by the ASUS Live Update software, which handles routine updates of ASUS related software. Normally such attacks should be prevented by techniques known as code-signing. Unfortunately the attackers appear to have taken control of an ASUS private key and abused it to apply a valid signature to their malware. Security vendors Kaspersky and Symantec state that hundreds of thousands of users were affected while ASUS states that only a small number of users were targeted. Both are technically correct.
Why the discrepancy in numbers?
Kaspersky and Symantec appear to be counting the number of users onto who’s computers the ASUS Live Update software downloaded and installed the malicious file. Since this process was automated, it affected a large number of victims. However, the malware then largely remained inactive. It appears to have been programmed to download further malicious code only if it identified (through MAC addresses) the device to be one of roughly 600 target devices. It appears that no samples of the actual payload have yet been captured.
As such, both sides are technically correct. The malware was downloaded onto likely hundreds of thousands of devices but the actual malicious payload only affected - at most - a few hundred machines.
If it only affects 600 machines, how is this important?
This breach is critical for several reasons.
Firstly, in theory nothing would have stopped the attackers from replacing the relatively benign malware with something much more malicious. If someone broke into a bank vault without the bank owners noticing for half a year, no-one would argue that there is no problem if only $600 were stolen. It is the breach - and not the effect - that matters from both a legal and practical perspective. The theft of a code-signing key and placement of malware on update servers can justifiably be compared to the theft of a vault key and subsequent break-in.
Secondly, this attack represents what is commonly known as a supply chain attack. Attackers hijacked a critical piece of infrastructure used by a vendor to deliver its product to the customer. From a customer’s perspective, there is no way to defend against such attacks short of fully distrusting all vendors and building their own software and hardware. This is - of course - not practically possible. Supply chain attacks are still somewhat rare, but we foresee their frequency to increase over the coming decade.
Was this an advanced persistent threat (APT)?
Looking at the data available at the time of publishing, it is very likely that the attackers could be classified as APTs. However this is less of a defense than ASUS appears to believe.
The reason we classify the attackers as APTs is due to their very limited attack scope. They used a vulnerability that could have potentially infected millions of devices in order to potentially infect 600. These were not run-off-the-mill criminals but rather attackers with a specific goal and - supposedly - ample funding.
However vendors like to classify attackers as APTs since it implies that highly advanced - and subsequently hard to defend against - techniques were employed in the attack. The public and media are naturally more willing to forgive a breach caused by a highly advanced state actor drawing on a multi-million dollar research budget than a breach caused by a 16-year-old with rudimentary security skills. The latter implies much more negligence on the breached party’s side.
However, reports published in the days following the attack imply that security at ASUS was all but high. According to TechCrunch, the company leaked employee passwords on code-hosting platform GitHub that allowed access to internal testing and deployment systems. While such leaks are notoriously hard to prevent, most large organizations have taken steps to catch them quickly and automatically. ASUS however was informed by an independent security researcher.
While the threat actor may have been an APT, it appears that ASUS’ security was lax enough to make the point moot. APTs are defined by their funding and targeting, not necessarily by their sophistication.
Supply chain attacks are notoriously hard for end-users to defend against since trust in vendors is required to some degree for practical use of IT hardware.
Attacks must be evaluated by the scope of the breach and access gained and not by the scope of the victims chosen by the attackers.