Kaspersky Lab estimates that the attack could have affected more than a million users.
The researchers discovered the attack in January, after hackers took over the Asus Live Update Utility to quietly install malware on devices. The hack was first reported by Motherboard.
The hack, which Kaspersky Lab is calling Operation ShadowHammer, went on between June and November 2018. Kaspersky Lab found that it affected more than 57,000 people using its products.
The Russia-based cybersecurity company was only able to find those numbers for its own users, and estimates that the malware could affect more than a million Asus owners worldwide. The update tool is preinstalled on the majority of new Asus devices.
The attackers were able to infect devices without raising red flags because they used Asus’ legitimate security certificate, which was hosted on the computer manufacturer’s servers.
Asus is a Taiwan-based computer company, and one of the top consumer notebook vendors in the world, with millions of laptops worldwide. The company did not respond to a request for comment.
“The selected vendors are extremely attractive targets for APT [advanced persistent threat] groups that might want to take advantage of their vast customer base,” Vitaly Kamluk, director of Kaspersky Lab’s Global Research and Analysis Team, said in a statement.
Malware can arrive on your devices in a lot of ways — downloading a file from an email, opening a PDF you shouldn’t have or via browser-based attacks.
The hack on Asus’ automatic update tool points to another kind of concern, in which people have to be worried about patches from the source itself as hackers seek to exploit a trusted relationship. Supply chain attacks are not new: In 2017, the popular software tool CCleaner was hijacked to install malware on millions of computers.
Distrust in automatic updates leads to another kind of threat, as many companies often rely on people to patch their devices to defend against new malware. The majority of computers infected with the WannaCry ransomware, for instance, were hit because they didn’t install a security update issued in 2017.
While it’s capable of attacking millions, the malware had a specific set of targets, researchers found. Once it was installed, the backdoor checked the device’s MAC address. If it matched one of the hacker’s targets, it then installed another set of malware, researchers said.
Kaspersky Lab researchers said they identified more than 600 MAC addresses, and released a tool for people to check whether they were targeted by the attack. The cybersecurity company said it’s notified Asus, and the investigation is ongoing.