Tag Archives: Asus

Responding to the Asus Live Update Supply Chain Compromise

Earlier last week the security vendor Kaspersky detailed their initial findings from the compromised supply chain of the Taiwanese hardware vendor Asus.

TL DR: If you own or use any Asus laptop or desktop system, please check if your device is affected using the downloadable tool from Kaspersky (which checks the MAC address (defined) of your network card). If you know how to obtain the MAC address of your network card manually you can use the online tool. This is the link for both tools: https://securelist.com/operation-shadowhammer/89992/

If you are affected, contact Kaspersky, contact Asus or use the anti-malware tools to try attempt removal of the backdoor (defined) yourself.

When did this attack take place and what was affected?
This incident took place from June to November 2018 and was initially thought to have affected approximately 60,000 users. This number was later revised to possibly affecting just over a million users. While primarily users in Asia and Russia were targeted; a graph of victim’s distribution by country shows users within South America, Europe and the US. It was later disclosed that mainly Asus laptops were affected by this incident.

What Asus infrastructure was affected?
An older version of the Asus Live Update utility was compromised by unknown attackers so that it would inject a backdoor within the Asus Live Update utility when it was running. The compromised Asus Live Update utility was signed with an older but still legitimate Asus digital signature. The compromised Asus utility was available for download from two official Asus servers.

What were the attacker’s intentions?
Unfortunately, even after extensive analysis it is unknown why the attackers targeted their chosen victim systems or what their eventual goal was. The backdoor would have likely allowed the attackers to steal files of their choice, remote control the system (if the second stage had been installed) and deploy compromised updates to systems which in the case of a UEFI update may have rendered the system unbootable.

It appears the goal of the attackers was to target approximately 600 systems of interest to them with the initial intention to carry the above-mentioned actions. We know it is approximately 600 systems since upon installation the malware would check if the system had a MAC address of interest; if yes it would install the stage 2 download (which unfortunately Kaspersky was unable to obtain a sample of). The server which hosted the stage 2 download was taken offline in November 2018 before Kaspersky became aware of this attack.

If the system was not of interest, the backdoor would simply stay dormant on the system. It’s unclear how the attackers may choose to leverage this in the future (assuming it remains intact on a system which installed the compromised utility).

Do we know who is responsible?
It is not possible to determine with absolute certainty who these attackers were but it is believed it is the same perpetrators as that of the ShadowPad incident of 2017. Microsoft identifies this advanced persistent threat (APT) (defined) group with the designation of BARIUM (who previously made use of the Winnti backdoor).

How have Asus responded to this threat?
Initially when Kaspersky contacted Asus on the 31st of January 2019 Asus denied their servers were compromised. Separately a Kaspersky employee met with Asus in person on the 14th of February 2019. However, Asus remained largely until earlier this week.

On the 26th of March Asus published a notice which contains an FAQ. They issued an updated version (3.6.8) of the Asus Live Update utility. Additionally, they have “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”.

They have also made available a utility to check if your system was affected. It is downloadable from the above linked to notice.

How can I remove the backdoor from my system if I installed the compromised Asus utility?
While Asus in their announcement recommends a full backup and full reset of your system; for some that may not be a preferred choice. If you use Kaspersky security suite it will very likely easily remove it since they were the first to detect it.

Please which ever approach is more convenient for you.

If you want to leave your system as it is:
I would first recommend a scan of your system with your current anti-malware product. I would then recommend using free anti-malware scanners such as RogueKiller, AdwCleaner and PowerEraser since they use cloud based forensic analysis and compare known safe files on your system with VirusTotal to check if any file has been tampered with or is new/suspicious. It is very unlikely the backdoor could hide from all of these utilities. Yes, this is overkill but will ensure a thorough check.

A link to full original story of this malware is available here.

You use an Asus system; how were you affected?
Since my high-end Core i9 7980 Extreme desktop uses an Asus desktop motherboard (ROG Rampage VI Apex); I ran the Asus utility to check my system; It displayed the message “Only for Asus systems” before closing. I’ll make an educated guess and assume that since the threat mainly affects laptops running this tool on a desktop system resulted in this message.

The offline and online tools from Kaspersky showed no issues with my system. I wasn’t surprised since I don’t use the Asus Live Update utility. Their drivers are available manually from their website and that’s how I stay updated.

I upload every downloaded file for my system to VirusTotal, verify the checksums and digital signatures, use two reputation based scanners on new downloads and have application whitelisting enabled. In summary; my system will be more difficult to compromise.

Thank you.

Asus and Gigabyte Software Flaws Unresolved

=======================
Update: 31st January 2019
=======================
In a follow up to this post; I realized that software installed within my Windows 10 Pro for Workstations system (Version 1803) may be vulnerable to similar issues as the Asus and Gigabyte software.

The software; Creative Sound Blaster Connect for Windows v2.0.0.28)(June 2018) is installed on my system and controls (among other features) the LED lights of my dedicated sound card Sound BlasterX AE-5 Pure edition. The lights are installed on the card and via an extended magnetic chain of 40 LED lights.

This software has the ability to connect to the internet in order to install updates from Creative. In an effort to check if this functionality could be abused to access the software; I took the basic steps of scanning the ports listed within the attached document using Nmap (using another system located on my local network (LAN)). I also checked if these ports were accessible via the internet from outside of my network by probing specific ports (User Specified Custom Port Probe) using the free ShieldsUp service from Grc.com):

The Nmap scans were only the following basic scans:

=======================
TCP Connect Scan:
nmap -sT
=======================
Stealth Scan (TCP SYN Scan):
nmap -sS
=======================
UDP Scan (where applicable):
-sU
=======================
TCP ACK Scan:
nmap -sA
=======================

The results were; none of the ports were accessible via my local network or via the internet thanks to the software firewall (bundled with my anti-malware software). The firewall gracefully handled each scan and blocked it while only logging the event rather than displaying a notification.

To further harden the Creative software from possible attack I chose to enable Microsoft’s Windows Defender Exploit Guard. I have attached a table (see link “Creative Processes and Ports” below) of the necessary running processes of the Creative software and which of the memory protections I was able to turn on; in short almost all of them. Windows Defender Exploit Guard is the successor to EMET (originally made available by Microsoft in 2010. Support ended for EMET on the 31st July 2018:

Since my Windows 10 system is fully up to date and I don’t link on links within emails or open suspicious attachments (in addition to using application white listing). Moreover; the software can’t be accessed via the internet or via my local network and now has many layers of in memory defenses enabled the likelihood of any vulnerabilities within the Creative software being exploited is minimized. If a rogue update is downloaded via the internet; it can’t run since only updates digitally signed by Creative are enabled to run (due to the whitelisting mentioned earlier).

While all of the above may be considered an “overreaction”; while exploits against such software are still yet to be seen in the wild; it never hurts to be prepared for the future. In addition, I don’t wish for the seemingly innocuous technology of LED lights being used to compromise my system.

Thank you.

Creative Processes and Ports

=======================
Original Post:
=======================
In mid-December security researchers from SecureAuth disclosed local elevation of privilege and code execution vulnerabilities within software and drivers (defined) from hardware vendors Asus and Gigabyte.

What is the severity and impact of these vulnerabilities?
=======================
ASUS Aura Sync v1.07.22 and previous versions:
=======================
For the Asus Aura Sync software; two vulnerable drivers are installed and have the potential to allow local code execution by an attacker.

There are three vulnerabilities within this software:

CVE-2018-18535: affects the Asusgio driver by leaving an exposed read/write method available for model specific registers (MSRs)(defined). This weakness can be leveraged to execute arbitrary code with System level (defined)(ring 0) privileges. Diego Juarez, the security researcher who discovered these vulnerabilities; created proof of concept code to allow insecure access to the MSRs via a stray kernel (defined) function pointer (defined) allowing the bypass of kernel address space layout randomization (KASLR)(defined) which results in a denial of service (DoS) condition in the form of a Blue Screen of Death (BSoD). This would have medium to high impact depending on the criticality of the system that is rendered temporarily unavailable by the BSoD.

CVE-2018-18536: the proof of concept for this vulnerability results in the system rebooting. This was achieved by utilizing the ability to read and write data to IO ports using the GLCKIo and Asusgion drivers. This ability can be used to run code of your choice with elevated privileges. This would have a high to critical severity since any code of the attackers choice could be leveraged for a purpose of their choosing.

CVE-2018-18537: can be used to trigger a system crash. This is achieved by writing 32 bits of data (DWORD)(explanation) to an address of an attackers choice. This can corrupt data and lead to unexpected behavior such as a crash. This would have a low to high depending upon the type of data that became corrupted.

=======================
Gigabyte App Center v1.05.21 and previous
Aorus Graphics Engine v1.33 and previous
Xtreme Gaming Engine v1.25 and previous
OC Guru II v2.08
=======================
CVE-2018-19320: has the potential to grant the attacker full access to the affected system and is thus medium to high in severity. The proof of concept for this is the same as for CVE-2018-18537 (above). CVE-2018-19322 is very similar to CVE-2018-18636 described above. CVE-2018-19323 is again very similar to CVE-2018-18535 already described above.

Finally CVE-2018-19321 could place an attacker in complete control of the victim system upon exploiting drivers within the Gigabyte App Center; Aorus Graphics Engine, Xtreme Gaming Engine or OC Guru (version numbers listed above). The proof of concept provided crashed the system but would be of medium to high severity due to the potential for further malicious action.

How can I protect my organization or myself from these vulnerabilities?
As per the Asus and Gigabyte advisories; only Asus fixed one of the disclosed vulnerabilities. If you use any of the above affected software, please update it to the most recent version available. In addition; exercise standard caution regarding handling emails, email attachments and the clicking of links (no matter in what form you receive such links). These vulnerabilities are all locally exploitable and thus require you to take an action out of the ordinary to harm your system.

The fact that neither company responded effectively is a concern; especially given how widely used these software applications are across the many hardware products both vendors sell to organisations and individuals.

The relevant advisories from SecureAuth are linked to here (Asus) and here (Gigabyte).

Why am I highlighting the vulnerabilities in these software packages?
I am highlighting these vulnerabilities since they re-demonstrate that any software installed on a system can contain vulnerabilities not just internet facing or widely used applications (making these Asus and Gigabyte applications a lot less likely to be updated by end-users). While this software may be considered innocuous (since it does not directly access the internet (except in the case to check for updates)) and is not used to open files/documents; given the low-level drivers the software uses; they still have the potential to provide an attacker with a means for malicious action.

I am aware of the availability of the Asus Aura Sync software since it is offered as a download for my Asus Rampage VI motherboard. I have not installed it since the motherboard LEDs already work (due to the UEFI firmware controlling them) to my satisfaction without software. Thus I chose not to install the software since I didn’t need it. While my system isn’t affected since the Asus software is not installed; it’s a concern that widely used applications are not being patched.

While I can acknowledge Gigabyte stating it is a hardware company; clearly the drivers and software it distributes to use and optimize/customize those products requires some maintenance from time to time; especially in the case where a vulnerability notification is provided. While Asus resolved one vulnerability it did not resolve the remaining two even when it too was provided with the necessary technical details.

Thank you.

VPNFilter: Overview and removal

====================
Update: 24th October 2018:
====================
Researchers from Cisco’s Talos team have discovered further capabilities of this malware. As detailed below the 3rd stage of the malware features:

Provides plugins for the RAT (defined below in the original post) to extend its functionality.

However, the team was able to determine the following extra capabilities:

  1. Packet sniffing (obtain information from passing data packets (defined) on a network connection)
  2. JavaScript (defined) injection used to deliver exploit (a small piece of software used to trigger a known vulnerability to the advantage of an attacker) to a compromised device (most likely a router).
  3. Encrypted tunnelling (defined) to hide data the malware steals as well as the existing command and control data traffic.
  4. Creating network maps (defined)
  5. Remote connection/administration via SSH (Secure Shell)(defined)
  6. Port forwarding (defined)
  7. Create SOCK5 (defined) proxies (defined)
  8. DDoS (defined)

The good news about this malware is that from the Talos team’s research it does not appear that any malware samples remain active. However; they caution it is not possible to assume that this malware has finished its malicious actions and the possibility of its return remains.

Thank you.

====================
Update: 20th June 2018:
====================
If you would prefer a video or a podcast of how to remove this malware from your router, this Sophos blog post provides links to both. The video is hosted on Facebook but a Facebook account isn’t required to view it. Sophos also provide an archive of previous videos on the same Facebook page.

Thank you.

====================
Update: 6th June 2018:
====================
The Cisco Talos team have provided an updated list of known affected routers. I have added these to the list below with “(new)” indicating a new device on the existing list. I have also updated the malware removal advice to provide easier to follow steps.

Thank you.

====================
Original Post:
====================
In late May; a strain of malware known as VPNFilter affecting routers from the vendors listed below was publicly disclosed by the Cisco Talos team:

Affected vendors:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)
D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)
Huawei HG8245 (new)
Linksys E1200
Linksys E2500
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Linksys WRVS4400N
Mikrotik CCR1009 (new)
Mikrotik Cloud Core Router (CCR) CCR1016
Mikrotik CCR1036
Mikrotik CCR1072
Mikrotik CRS109 (new)
Mikrotik CRS112 (new)
Mikrotik CRS125 (new)
Mikrotik RB411 (new)
Mikrotik RB450 (new)
Mikrotik RB750 (new)
Mikrotik RB911 (new)
Mikrotik RB921 (new)
Mikrotik RB941 (new)
Mikrotik RB951 (new)
Mikrotik RB952 (new)
Mikrotik RB960 (new)
Mikrotik RB962 (new)
Mikrotik RB1100 (new)
Mikrotik RB1200 (new)
Mikrotik RB2011 (new)
Mikrotik RB3011 (new)
Mikrotik RB Groove (new)
Mikrotik RB Omnitik (new)
Mikrotik STX5 (new)
Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN2200
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)
Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)
UPVEL Unknown Models* (new)
ZTE ZXHN H108N (new)

Why should this malware be considered important?
The authors (thought to be a group funded by a nation state) of this malware are using it to hijack vulnerable routers (500,000 are known to have been compromised across 54 countries) for possible use in cyberattacks against the Ukraine. Indeed, the malware more recently began seeking out Ukrainian routers specifically. The Ukrainian Secret Service issued a security alert on this on the 23rd of May.

The malware has the ability to do so by utilising previously publicly disclosed (defined) vulnerabilities to gain access and persistence (namely remaining present after the router is powered off and back on) within these routers. Last week the FBI took control of this botnet and are now working to clean up the affected devices.

The malware is very sophisticated and can persist within a router even if the router is powered off and back on (becoming the second malware to have this ability, the first being the Hide and Seek botnet). The malware is made up of 3 stages:

Stage 1: Is responsible for the persistence (mentioned above).
Stage 2: Providing the capabilities of a remote access Trojan (RAT)(defined)
Stage 3: Provides plugins for the RAT to extend it’s functionality.

The malware also has the capability to do the following:

  1. Wipe the firmware (see Aside below for a definition) of routers rendering them useless
  2. Inspect the data traffic passing through the router (with the possible intention of obtaining credentials passing over the wire to gain access to sensitive networks)
  3. Attempt to locate ICS/SCADA devices (defined) on the same network as the router by seeking out port 502 traffic, namely the Modbus protocol (defined) with the option of deploying further malware
  4. Communicate via the Tor network (definition in the Aside below).

How can I protect my devices from this malware?
The FBI are asking anyone who suspects their internet router to be infected to first reboot it (turn on and off the router). This will cause an infected device to check-in with the now under FBI control C&C (command and control, C2 (defined) server to provide them with a better overview of the numbers of infected devices.

To completely remove the malware; reset the device to factory defaults (this won’t harm a non-infected either but please ensure you have the necessary settings to hand to re-input them into the router, your internet service provider (ISP) will be able to help with this). This will remove stage 1 of the malware (stage 2 and 3 are removed by turning the router on an off).

To prevent re-infection: Cisco Talos’ team recommendations are available from this link. Moreover the US CERT provide recommendations here and here. Symantec’s recommendations are provided here (especially for Mikrotik and QNAP devices).

Further advisories from router manufacturers are as follows (their advice should supersede any other advice for your router model since they know their own devices the best):

Linksys
MiktroTik
Netgear
QNAP
TP-Link

Further recommendations from Sophos are:

  • Check with your vendor or ISP to find out how to get your router to do a firmware update.
  • Turn off remote administration unless you really need it
  • Choose strong password(s) for your router
  • Use HTTPS website where you can

A very useful and easy to follow step by step walk through of removing this malware by BleepingComputer is available from this link with useful guidance for multiple router models.

Thank you.

=======================
References:
New VPNFilter malware targets at least 500K networking devices worldwide : Cisco Talos team
=======================

=======================
Aside:
What is firmware?
Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

What is The Onion Router (Tor)?
The Onion Router (Tor) is an open source (defined) project with the goal of protecting your privacy by passing your web browsing activity through a series of anonymous relies spread across the internet. These relays act like proxy servers which encrypt and randomly pass the traffic they receive from relay to relay.

This web of proxies is sometimes referred to as the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the source almost impossible.
=======================

WPA2 KRACK Vulnerability: What you need to know

Last Sunday, the early signs of a vulnerability disclosure affecting the extensively used Wi-Fi protected access (WPA2) protocol were evident. The next day, disclosure of the vulnerability lead to more details. The vulnerability was discovered by  two researchers Mathy Vanhoef and Frank Piessens of the Katholieke Universiteit Leuven (KU Leuven) while examining OpenBSD’s implementation of the WPA2 four way handshake.

Why should this vulnerability be considered important?
On Monday 16th October, the KRACK (key re-installation attacks) vulnerability was disclosed. This vulnerability was found within the implementation of the WPA2 protocol rather than any single device making it’s impact much more widespread. For example, vulnerable devices include Windows, OpenBSD (if not already patched against it), Linux, Apple iOS, Apple macOS and Google Android.

If exploited this vulnerability could allow decryption, packet replay, TCP connection hijacking and if WPA-TKIP (defined) or GCMP (explained) are used; the attacker can inject packets (defined) into a victim’s data, forging web traffic.

How can an attacker exploit this vulnerability?
To exploit the vulnerability an attacker must be within range of a vulnerable Wi-Fi network in order to perform a man in the middle attack (MiTM)(defined). This means that this vulnerability cannot be exploited over the Internet.

This vulnerability occurs since the initial four way handshake is used to generate a strong and unique key to encrypt the traffic between wireless devices. A handshake is used to authenticate two entities (in this example a wireless router and a wireless device wishing to connect to it) and to establish the a new key used to communicate.

The attacker needs to manipulate the key exchange (described below) by replaying cryptographic handshake messages (which blocks the message reaching the client device) causing it to be re-sent during the third step of the four way handshake. This is allowed since wireless communication is not 100% reliable e.g. a data packet could be lost or dropped and the router will re-send the third part of the handshake. This is allowed to occur multiple times if necessary. Each time the handshake is re-sent the attacker can use it to gather how cryptographic nonces (defined here and here) are created (since replay counters and nonces are reset) and use this to undermine the entire encryption scheme.

How can I protect myself from this vulnerability?
AS described in this CERT knowledge base article.; updates from vendors will be released in the coming days and weeks. Apple (currently a beta update) and Microsoft already have updates available. OpenBSD also resolved this issue before the disclosure this week.

Microsoft within the information they published for the vulnerability discusses how when a Windows device enters a low power state the vulnerable functionality of the wireless connection is passed to the underlying Wi-Fi hardware. For this reason they recommend contacting the vendor of that Wi-Fi hardware to request updated drivers (defined).

Links to affected hardware vendors are available from this ICASI Multi-Vendor Vulnerability Disclosure statement. Intel’ security advisory with relevant driver updates is here. The wireless vendor, Edimax also posted a statement with further updates to follow. A detailed but easy to use list of many vendors responses is here. Since I use an Asus router, the best response I could locate is here.

======
Update: 21st October 2017:
Cisco have published a security advisory relating to the KRACK vulnerability for its wireless products. At the time of writing no patches were available but the advisory does contain a workaround for some of the affected products.
======

The above updates are software fixes but updates will also be made available for devices in the form of firmware updates e.g. for wireless routers, smartphones and Internet of Things (IoT)(defined) devices. For any wireless devices you own, please check with the manufacturer/vendor for available updates with the above CERT article and vendor response list detailing many of the common vendors.

Thank you.

Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection

Happy New Year to all readers of this blog!

With attacks on routers increasing (e.g. this article concerning D-Link) and vulnerabilities being patched within internet of things (IoT) (defined) devices; it’s great news that security technologies are adapting to monitor and protect them.

I wanted to provide a respectful shout out (although not to blog posts) to products from several vendors that promise to better protect from threats such as the Mirai malware and other examples.

Full disclosure: I’m not receiving any incentives or benefits from any of these vendors; I simply wish to promote awareness of existing and upcoming technologies that we can use to better secure the increasing number of IoT devices that we are using in our everyday lives.

For example, early last week Symantec began accepting pre-orders for their new wireless router. Initially this will only be available in the US but will be extended to more regions in the future.

While a wireless router is nothing new, it is one of first that I have encountered that includes protection for Internet of Things (IoT) devices.

In their words it “constantly monitors your connected devices like WiFi thermostats, smart locks, appliances or home security cameras for suspicious activity and identifies vulnerabilities. If a device becomes compromised, it quarantines the threat before it spreads ensuring your digital world is safe.”

A similarly powerful offering from F-Secure is also in progress. Like Symantec, F-Secure’s is scheduled for release in Q2 of 2017.

These solutions are further refinements to wireless router/access point security solutions that have been available since late 2015. For example, Asus’ Ai-Protection feature (using technology licensed from Trend Micro) incorporates most of the features that F-Secure and Symantec offer just without the IoT management and reporting.

There are interesting times ahead as Internet of Things (IoT) devices and wireless router become increasingly more managed and monitored devices allowing us to secure them better. My sincere thanks to a colleague (you know who you are!) for assistance with this post.

Thank you.