Hackers Attack Asus Computers Using Routine Software Update

Allen St. John

Consumer Reports has no financial relationship with advertisers on this site.

Consumer Reports has no financial relationship with advertisers on this site.

A highly sophisticated cyberattack designed to look like a routine software update from the manufacturer Asus misled more than 57,000 consumers into installing malware that granted "backdoor" access to their computers, says Russia-based security company Kaspersky Lab.  

The exploit, named Operation ShadowHammer, was discovered by Kaspersky in late January and reported by the tech publication Motherboard today. The hackers used a software update tool housed on an official Asus server and a genuine Asus certificate to push the malware out to about 1 million device owners, mostly in Russia.

Asus has yet to respond to requests from Consumer Reports, Kaspersky, and others with information on how people can identify and remove the ShadowHammer threat from a computer.

“To a user, this appeared to be a legitimate software update," says Costin Raiu, director of the global research and analysis team at Kaspersky. "This is a very difficult attack for the average consumer to detect." 

"It's a deeply insidious attack," adds Brian Vecci, field CTO of the security firm Varonis. "The hackers got into the supply chain and tricked Asus into delivering the malware directly. The onus is on the manufacturer to lock this down."

Privacy and security advocates explain that attacks of this kind are especially troubling because they leave consumers wondering whether they should trust software updates in the future

"Companies like Asus need to take whatever security measures are necessary to make sure this can't happen again," says Katie McInnis, policy counsel for Consumer Reports. "The fact that Asus still has no guidance for customers almost two months after learning of this attack is very concerning."

What You Can Do

According to security experts, the ShadowHammer attack is unusual in other ways. Kaspersky confirmed that tens of thousands of machines, mostly located in Russia, have been affected. But, once installed, the malware uses the backdoor access to "surgically target" computers with one of 600 MAC addresses with additional malware, Kaspersky reported in a blog post.

Kaspersky has created a tool to help consumers determine if they own one of those computers. You simply download the app and double click on it. (We gave it a try on an Asus laptop in our labs and learned that the computer is not among the 600 impacted.)

To be safe, Kaspersky also advises people to make certain they have the most recent version of Asus Live Update installed on their devices. To do that, visit asus.com/support, click on the Enter Download Center button, and search for the computer model in the drop-down menu. That will take you to a support page, where you can download the latest Live Update software.   

Consumer Reports has long advised consumers that installing regular software updates is one of the best ways to protect their devices and data, and, despite the compromised update used in this exploit, that advice holds true.

"The risk of making your machine vulnerable to all kinds of malware by not installing an update is much higher than the chance of becoming the victim of an attack disguised as a update," says Maria Rerecich, senior director of product testing for Consumer Reports.

If you use security software from a service such as Kaspersky, McAfee, or Symantec to protect your computer, this would be a good time to update that, too, she adds. For a list of CR-recommended options, click here.

This isn't the first time that a security glitch involving Asus has left consumers vulnerable. In 2016, the company signed a consent decree with FTC after "critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk," according to an FTC press release.

"In many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers," the FTC added.

More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2019, Consumer Reports, Inc.