[German]A few days ago it became public, that an old version of ASUS Live Update Utility has be compromised and was shipped with a backdoor. But security researcher has warned ASUS two months ago about such a supply chain attack. They stumbled upon incredible security failures.
What we talk about here?
Most ASUS computers comes preinstalled with a utility called ASUS Live Update. This utility is used to automatically update certain components, such as BIOS, UEFI, drivers, and applications.
Unknown attackers have taken an old version of the ASUS Live Update utility, and injected a malicious code for a backdoor. Then they signed this Trojan version of the utility with a legitimate certificates and hosted the file on official ASUS update servers. Of course, ASUS distributed this malicious version afterwards. I had published some information within my blog post ShadowHammer: ASUS Live Update infected with Backdoor.
A security researcher has warned ASUS
Techcrunch reported within this article, that the whole incident was a disaster with announcement. A security researcher had warned Asus two months ago. He had noticed that ASUS employees had improperly published passwords in their GitHub repositories. That passwords also could be used to intrude and access the company’s corporate network.
For instance: One password found in an employee’s repository via code sharing. That password allowed the security researcher to access an email account. This email account is used by internal developers and engineers at ASUS to distribute nightly builds of apps, drivers and tools to computer owners. It was a daily release mailbox where automated builds were sent,” told security researcher SchizoDuckie TechCrunch.
E-mails found in the mailbox contained exactly the internal network path where drivers and files were stored. The researcher did not test in detail, how far this password will grant him access to the account. But he warned that it was easy with the knowledge gained from GitHub and the e-mail account to infiltrate the whole ASUS network. “All you need is one of those emails with an attachment to one of the recipients for a really nice Spear phishing attack,” the security researcher said.
According to techcrunch the repository in question belonged to an ASUS engineer who made the email account passwords publicly available for at least a year. The repository has now been deleted, but the GitHub account still exists.
It remains to be noted that the security researcher’s hints would probably not have prevented the above-mentioned attack. This took place in the summer of 2018. But the above episode shows how careless ASUS employees handle security in some manufacturers’ supply chains.
Unbelievable security behavior
Techcrunch writes, that the security researcher found at least two more cases of Asus engineers revealing company passwords on their GitHub pages. An Asus software architect based in Taiwan, in the company’s headquarter, left a user name and password in the code on his GitHub page. Another Taiwan-based data engineer had also forgotten credentials in his code published on GitHub. “Companies have no idea what their programmers are doing with their code on GitHub,” says the researcher according to Techcrunch.
A day after Techcrunch alerted ASUS via e-mail, the repositories with the leaked credentials was wiped on GitHub. ASUS spokesman Randall Grilli told TechCrunch that the computer manufacturer “was unable to verify the validity of the claims in the researcher’s emails. Asus is actively investigating all systems to remove all known risks from our servers and supporting software and ensure there are no data leaks,” he added. Well seems everything is going well – isn’t it?