Threat actors have compromised the Asus technology manufacturer update mechanism to install malware that allows installing a backdoor on compromised computers. According to web application security testing experts, this is due to a Man-In-The-Middle (MiTM) attack campaign against routers to exploit some unsecured HTTP connections between Asus computer users and company servers.
This malware, known as Plead, was developed by
a group of hackers specializing in cyberspying tasks that the cybersecurity
community has identified as BlackTech Group; this group mainly attacks private
companies and government agencies in Asian territory.
According to experts, in previous opportunities
this group has attacked companies like D-Link through phishing emails and
compromised routers to use them as command and control servers to deploy their
malware.
This time, web application security testing experts discovered that BlackTech developed a new method for deploying Plead on target systems. Attackers abused a file called ASUS webstorage Upate.exe, which is included in a company update. After an investigation, the experts determined that the infections were created and executed from this location, taking advantage of legitimate Windows processes and Asus digital signatures.
Experts found that Asus WebStorage software is
vulnerable to MiTM attacks (where hackers take control of data transmission
over a connection) due to the use of unencrypted HTTP connections, rather than
HTTPS connections, which have default protection against this attack variant.
In addition, Asus does not verify the software’s authenticity before running,
so attackers may intercept legitimate system processes to inject the malware
instead of the company’s files.
As a response to the incident, Asus Cloud
redesigned the architecture of its update server, as well as implementing some
protections to secure the system’s sensitive data. However, web application
security testing specialists from the International Institute of Cyber Security
(IICS) recommend that the users of the compromised machines perform an
antivirus analysis to corroborate that the hackers have not accessed their confidential
information.
