It was revealed two weeks ago that hackers had broken into computer giant ASUS’ servers and compromised their code signing keys. According to Kaspersky Labs, ASUS’ software update system was hacked and used to distribute malware to about 1 million Windows computers. The malware was disguised as a “critical” software update, distributed from ASUS’ servers, and signed using a real ASUS certificate that made it appear to be valid.
The attackers were able to push the malicious file to customer machines through a tool called setup.exe, which was purported to be an update to the update tool itself. It was actually a three-year-old ASUS update file from 2015 that the attackers injected with malicious code before signing it with a legitimate ASUS certificate. The use of an old binary with a current certificate suggests the attackers had access to the server where ASUS signs its files but not the actual build server where it compiles new ones. Because the attackers used the same ASUS binary each time, it suggests they didn’t have access to the whole ASUS infrastructure, just part of the signing infrastructure. During this time legitimate ASUS software updates still got pushed to customers, but these legitimate updates were signed with a different certificate that used enhanced validation protection making the malware more difficult to spoof.
The attack took place sometime between June and November 2018 but was not discovered until January 2019. How did it stay undetected for so long? As explained by Kaspersky Labs who exposed the attack:
“The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.”
Software supply-chain attacks are particularly sinister, because once hackers establish the ability to create platform updates that appear to be legitimate, they can capitalize on the product’s distribution base, such as ASUS Live Update tool, to spread their malware to hundreds of thousands of customers. And while it’s not clear what the attackers were after, the attackers surgically targeted specific ASUS customers—
So how was ASUS’ code signing infrastructure compromised? Generally speaking, code signing can become tainted in two ways:
- Compromised code signing keys and certificates – The attackers exfiltrate the code signing private keys, which are used to create the signatures, and their associated certificates. In the ASUS’ case, if hackers obtained the signing key, they could sign the malicious update file from any machine. The level of difficulty for this type of attack depends on where the signing keys are stored and how they are protected. For a company to be granted Extended Validation (EV) certificates—the most secure type of code signing certificates issued by public certificate authorities, and therefore the most trusted—the company must store signing keys in secure cryptographic modules (FIPS 140-2 validated, Level 2 or higher), making exfiltration very difficult. If keys are not strongly protected, however, they are vulnerable to exfiltration, enabling attackers to use them at will.
- Signing mechanism compromise – By gaining access to the organization’s signing server infrastructure, attackers can sign malware to pass it off as legitimate software without actually taking the signing keys. Regarding ASUS, this method of attack could have happened if hackers were able to connect to the ASUS signing server infrastructure and input the malicious update file into the existing mechanism for signing, and later distribute the signed file via official ASUS update servers.
And while we don’t know all the details pertaining to the ASUS attack, and what measures they could have taken to prevent this incident, here are some of Unbound’s recommendations to avoid code signing compromise:
- Protect code signing keys: Key exfiltration is the riskiest because it gives attackers the most freedom to sign any code anywhere. Use cryptographic key protection and management solutions to help ensure that attackers cannot get hold of the valuable private keys.
- Establish advanced quorum authorization for sensitive signing operations: By requiring multiple people and/or systems to authorize sensitive cryptographic operations, such a signing code—especially code that can impact low level system operations—you can eliminate rogue actors tainting the code with malware.
- Monitor and audit all code signing transactions: A comprehensive log of all operations including the source of those operations can help quickly identify the source and mitigate attacks after they occur.
Learn more about how Unbound can help protect your code signing infrastructure.
For more info on the ASUS supply chain attack, and why it is actually a big deal, check out Kaspersky Labs, the company that exposed the attack and Motherboard, who’s Kim Zetter first published the story.