Asus Malware Highlights The Risk of Supply Chain Attacks
The malware was distributed through Asus’ own tool, and was signed with a valid certificate…
An article review.
When it comes to avoiding malware and other internet attacks, most users know you should avoid downloading files from unknown sources—but a recent attack targeting Asus customers is a reminder that sometimes even that may not be enough to protect you. The attack, described in an article submitted by our own Chris Dietrich, utilized Asus’ own LiveUpdate tool to distribute an infected software update…and the update was even signed with a valid Asus digital signature.
The good news is that the attack on Asus customers wasn’t as broad—or as devastating—as it could have been, with experts believing that only about 600 people were targeted specifically by the perpetrators. While the targeted nature of the attack may have some breathing easier, there’s nothing stopping future attacks from being more widespread, and when it comes to mitigation there may not be an easy solution.
Some level of trust is necessary for software patches and updates to be distributed in the first place, and if a manufacturer’s supply chain has been compromised (including their digital signatures) there may be no way for an end user to determine that an update is malicious. One strategy could be to hold any new updates for a period of time, but even that can be problematic when various software packages now update themselves without user input—and some don’t even allow for these updates to be stopped.
As frightening as the threat may be, the risk of a supply chain attack happening–thankfully–remains relatively low. It may be difficult to prevent a properly signed update containing malware from being sent, but the risk can be mitigated somewhat by policies that call for the review of patches and other updates before installation…and which prevent end users from updating software on their own!
Original article by Lily Hay Newman writing for Wired.
Leave a comment
For the first time, a data breach has triggered a financial downgrade… An article rev Read more
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governan Read more
A new generation of interns may open organizations up to new risks… An article review Read more
Another awareness poster for YOUR customers (and users). Now that we have our own em Read more
Years after patches were released, many systems remain vulnerable… An article review. Read more