The malware was distributed through Asus’ own tool, and was signed with a valid certificate…
An article review.
When it comes to avoiding malware and other internet attacks, most users know you should avoid downloading files from unknown sources—but a recent attack targeting Asus customers is a reminder that sometimes even that may not be enough to protect you. The attack, described in an article submitted by our own Chris Dietrich, utilized Asus’ own LiveUpdate tool to distribute an infected software update…and the update was even signed with a valid Asus digital signature.
The good news is that the attack on Asus customers wasn’t as broad—or as devastating—as it could have been, with experts believing that only about 600 people were targeted specifically by the perpetrators. While the targeted nature of the attack may have some breathing easier, there’s nothing stopping future attacks from being more widespread, and when it comes to mitigation there may not be an easy solution.
Some level of trust is necessary for software patches and updates to be distributed in the first place, and if a manufacturer’s supply chain has been compromised (including their digital signatures) there may be no way for an end user to determine that an update is malicious. One strategy could be to hold any new updates for a period of time, but even that can be problematic when various software packages now update themselves without user input—and some don’t even allow for these updates to be stopped.
As frightening as the threat may be, the risk of a supply chain attack happening–thankfully–remains relatively low. It may be difficult to prevent a properly signed update containing malware from being sent, but the risk can be mitigated somewhat by policies that call for the review of patches and other updates before installation…and which prevent end users from updating software on their own!
Original article by Lily Hay Newman writing for Wired.