Threat actors have compromised the Asus technology manufacturer update mechanism to install malware that allows installing a backdoor on compromised computers. According to web application security testing experts, this is due to a Man-In-The-Middle (MiTM) attack campaign against routers to exploit some unsecured HTTP connections between Asus computer users and company servers.
This malware, known as Plead, was developed by a group of hackers specializing in cyberspying tasks that the cybersecurity community has identified as BlackTech Group; this group mainly attacks private companies and government agencies in Asian territory.
According to experts, in previous opportunities this group has attacked companies like D-Link through phishing emails and compromised routers to use them as command and control servers to deploy their malware.
This time, web application security testing experts discovered that BlackTech developed a new method for deploying Plead on target systems. Attackers abused a file called ASUS webstorage Upate.exe, which is included in a company update. After an investigation, the experts determined that the infections were created and executed from this location, taking advantage of legitimate Windows processes and Asus digital signatures.
Experts found that Asus WebStorage software is vulnerable to MiTM attacks (where hackers take control of data transmission over a connection) due to the use of unencrypted HTTP connections, rather than HTTPS connections, which have default protection against this attack variant. In addition, Asus does not verify the software’s authenticity before running, so attackers may intercept legitimate system processes to inject the malware instead of the company’s files.
As a response to the incident, Asus Cloud redesigned the architecture of its update server, as well as implementing some protections to secure the system’s sensitive data. However, web application security testing specialists from the International Institute of Cyber Security (IICS) recommend that the users of the compromised machines perform an antivirus analysis to corroborate that the hackers have not accessed their confidential information.