![]() ![]() That left open the possibility a MitM attack was being caused by malicious domain name systems settings being made to the routers or something more complex, such as tampering with iptables.Įset’s working theory then shifted from the BlackTech Group breaching ASUS’ network and performing a supply-chain attack to the attackers performing a MitM attack on ASUS’ insecure update mechanism. The routers, which Eset declined to identify while it’s still investigating the case, have administrator panels that are Internet accessible. The researchers also observed that most of the organizations that received the Plead file from ASUS WebStorage were using routers made by the same manufacturer. That left open the possibility the BlackTech Group was intercepting ASUS’ update process and using it to push the Plead instead of the legitimate ASUS file. The researchers further noticed that the ASUS software didn’t validate its authenticity before executing. The researchers made this determination because updates are requested and transferred using unencrypted HTTP connections, rather than HTTPS connections that are immune to such exploits. The attackers used standalone malware files instead of incorporating their malicious wares inside ASUS’s legitimate softwareĪs the researchers considered alternative scenarios, they noted that ASUS WebStorage software is susceptible to man-in-the-middle attacks, in which hackers controlling a connection tamper with the data passing through it. There was no evidence ASUS WebStorage servers were being used as control servers or served malicious binaries, and The same suspected update mechanism was also delivering legitimate ASUS WebStorage binaries Eventually, Eset researchers discounted that theory for three reasons: The abuse of legitimate AsusWSPanel.exe raised the possibility the computer-maker had fallen to yet another supply-chain attack that was hijacking its update process to install backdoors on end-user computers. As the name suggests, ASUS WebStorage is a cloud service the computer-maker offers for storing files. An analysis showed infections were being created and executed by AsusWSPanel.exe, which is a legitimate Windows process belonging to, and digitally signed by, ASUS WebStorage. ![]() The backdoor arrived in a file named ASUS Webstorage Upate.exe included in an update from ASUS. Late last month, Eset researchers noticed the BlackTech Group was using a new and unusual method to sneak Plead onto targets’ computers. ![]() Before that, the BlackTech Group used spear-phishing emails and vulnerable routers to serve as command-and-control servers for its malware. Last year, the group used legitimate code-signing certificates stolen from router-maker D-Link to cryptographically authenticate itself as trustworthy. Plead, as the malware is known, is the work of espionage hackers Trend Micro calls the BlackTech Group, which targets government agencies and private organizations in Asia. The researchers, who continue to investigate the incident, said they believe the attacks are the result of router-level man-in-the-middle attacks that exploit insecure HTTP connections between end users and ASUS servers, along with incomplete code-signing to validate the authenticity of received files before they're executed. ASUS' update mechanism has once again been abused to install malware that backdoors PCs, researchers from Eset reported earlier this week. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |