Asus Live Update Utility 3.6 8

Criminals Modified ASUS Alive Update Utility to Deliver Backdoor to 1M People

March 26, 2019 David Bisson

Digital criminals modified the ASUS Alive Update Utility to deliver a backstairs to approximately ane one thousand thousand people.

According to a blog post published on Securelist , Kaspersky Lab commencement detected the supply concatenation attack named "Operation ShadowHammer" on 19 Jan. Bad actors staged this campaign between June 2018 and November 2018 against the ASUS Alive Update Utility, software which comes pre-installed on all ASUS machines. This tool enables ASUS computers to automatically receive updates for BIOS, UEFI and other applications from the manufacturer.

Kaspersky Lab counted 57,000 users of its security software who installed the backdoored version of the ASUS Alive Update Utility distributed in this campaign. The Russian security firm couldn't go far at a total number of users afflicted by the attack using its numbers alone. Using what it saw, however, it postulated that Performance ShadowHammer infected more than a million users.

Following its discovery, the security company notified ASUS about the attack campaign on 31 Jan. The reckoner manufacturer responded by acknowledging the events of Functioning ShadowHammer on 26 March—a day after Kaspersky Lab's written report came out. Every bit quoted in the visitor'southward statement :

A small number of devices have been implanted with malicious lawmaking through a sophisticated attack on our Alive Update servers in an effort to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing aid to ensure that the security risks are removed.

ASUS also explained that it'southward implemented several security measures to forestall similar incidents from happening again as well as issued a prepare in version 3.half-dozen.8 of the Alive Update software. This updated version is available for download here .

Looking dorsum at its research, Kaspersky Lab figures that the campaign was so difficult to notice because the trojanized updaters came with signed legitimate certificates from ASUS. These code-signing certificates are important for companies in that they help identify which updates and machines should exist trusted. Unfortunately, it's this very same functionality that makes code-signing certificates of import targets for digital attackers.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, knows this preference among digital criminals all too well:

Hackers continue to exploit the power of machine identities every day. Like Stuxnet, attackers steal or take over code-signing certificates to make their malware trusted. Everything from Telsa cars to Boeing airplanes to your laptop use code signing to institute which apps, drivers and updates are trusted. This is the extreme power that hackers want to be completely trusted and it an even allow them to evade threat protection systems.

The trouble, Bocek explains, is that the protection of code-signing processes unremarkably falls to developers who are not prepared to defend confronting attacks. At the aforementioned time, well-nigh security teams may non even know their developers are using lawmaking signing. This lack of visibility is concerning, as code-signing certificates are likely to abound exponentially over the next few years amid the rise of mobile apps, DevOps and IoT.

Given these risks, organizations need to invest in a solution that can assist them inventory their encryption avails and monitor them for signs of corruption.

How well protected are your code-signing and other digital certificates?

Related posts

• Attackers Misused Code-Signing Certificates of Taiwanese Companies to Spread Plead Malware
• Code Signing Certificates: A Night Web Best Seller
• Crypto Mining, Code Signing Compromise: Are Your Certificates Prophylactic?
• The CCleaner Compromise: Was a Code Signing Document the Culprit?

Like this blog? Nosotros think you will dearest this.

Featured Blog

EARN It Human activity Is Back so Is Argue Over End-To-End Encryption

The Eliminating Abusive and Rampant Neglect of Interactive T

Read More

Subscribe to our Weekly Blog Updates!

Bring together thousands of other security professionals

Get top blogs delivered to your inbox every calendar week

Subscribe Now

Yous might also like

eBook

TLS Machine Identity Direction for Dummies

White Paper

CIO Written report: Document-Related Outages Go along to Plague Organizations

About the author

David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM'due south Security Intelligence, Associate Editor for Tripwire and Contributing Author for Gemalto, Venafi, Zix, Bora Blueprint and others.

Read Posts by Writer

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Delight enter valid email address

* Show Please fill in this field Password must be
At least 8 characters long
At to the lowest degree i digit
At terminal 1 lowercase letter of the alphabet
At least 1 capital letter letter
At least one special grapheme
(@%+^!#$?:,(){}[]~`-_)

* Delight fill in this field

* Delight fill in this field

* Please fill in this field

* Please fill up in this field Please enter valid telephone number

* Country

End User License Agreement needs to be viewed and accustomed

Already have an account? Login Here

×

Scroll to the bottom to take

VENAFI CLOUD SERVICE

*** Of import ***

Delight READ Advisedly BEFORE Continuing WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI Deject SERVICE ("SERVICE").

This is a legal agreement between the end user ("Yous") and Venafi, Inc. ("Venafi" or "our"). BY ACCEPTING THIS Understanding, EITHER By CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI Deject SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF Y'all ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A Visitor OR OTHER LEGAL ENTITY, Y'all Correspond THAT YOU HAVE THE Potency TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "Yous" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH Say-so, OR IF You lot Practice Not AGREE WITH THESE TERMS AND CONDITIONS, Yous MUST NOT ACCEPT THIS AGREEMENT AND MAY Non USE THE SERVICE.

You shall not access the Service if You are Our competitor or if y'all are acting as a representative or agent of a competitor, except with Our prior written consent. In improver, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.

This Agreement was terminal updated on Apr 12, 2017. It is effective between Yous and Venafi every bit of the date of Your accepting this Agreement.

The Venafi Cloud Service includes two dissever services that are operated by Venafi every bit software every bit a service, each of which is separately licensed pursuant to the terms and weather condition of this Agreement and each of which is considered a Service nether this Understanding: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You accept registered with Venafi to use.

1. Definitions
   1. "Your Data" means electronic data and information submitted by or for You to the Service or nerveless and processed by or for You lot using the Service.
2. License Grants and Restrictions
   1. License Grant by Venafi to You. Venafi grants to You lot a limited, not-exclusive, non-transferable, not-assignable, express license (the "License") to admission and use the Service during the applicable License Term ready out in Section ii.ii below, in accordance with the instructions contained in the user documentation that accompanies the Service ("Documentation). Venafi hereby grants to You the correct to apply the Documentation solely in connection with the practise of Your rights under this Agreement. Other than every bit explicitly ready forth in this Understanding, no right to use, copy, display, or print the Documentation, in whole or in part, is granted. This license grant is limited to internal use past Y'all. This License is conditioned upon Your compliance with all of Your obligations nether this Agreement. Except for the limited licenses granted in this Section, no other rights or licenses are granted by Venafi, expressly, by implication, by style of estoppel or otherwise. The Service and Documentation are licensed to Licensee and are not sold. Rights not granted in this Understanding are reserved by Venafi.
   2. License Term.
      1. Venafi Cloud Take a chance Cess Service. If you lot have registered to access and utilise the Venafi Cloud Risk Assessment Service, Your right to use the Venafi Cloud Take a chance Assessment Service is limited to xc (90) days from the date You first annals for the Service, unless otherwise extended on Your agreement with Venafi.
      2. Venafi Deject for DevOps Service. If y'all have registered to access and use the Venafi Deject for DevOps Service, Your right to use the Venafi Cloud for DevOps Service shall extend indefinitely and may be terminated by either You or Venafi at whatsoever time for any reason.
   3. Restrictions on Use. The grant of rights stated in Sections 2.ane and ii.2, in a higher place, is subject to the post-obit restrictions and limitations:
      1. If You take registered to access and utilise the Venafi Cloud for DevOps Service, Yous must use SSL/TLS certificates issued to you at no accuse through the Service for development and testing purposes only, and Yous are strictly prohibited from using such SSL/TLS certificates in a product environment or in whatever production chapters. If you are registered with a public Certification Authority ("CA") supported past the Service and have valid credentials issued by such CA with which you can subscribe to such CA's SSL/TLS certificates on a fee bearing basis for apply in product environments, Yous may request such certificates through the applicable interface present in the Service by using such credentials. In such instance, the fee bearing certificate(s) volition be issued to You by the CA and whatever access to or use of such certificates by You volition exist discipline to the terms and conditions fix out past the CA. No fees will exist paid to or processed by Venafi in this case. The use of DigiCert issued certificates shall be subject to the Certificate Services Agreement published past DigiCert at https://world wide web.digicert.com/docs/agreements/Certificate-Services-Agreement.pdf, which terms are hereby incorporated past reference.
      2. You shall not use (or cause to exist used) the Service for the benefit of any third political party, including without limitation by rental, in the functioning of an Applications Service Provider (ASP) service offer or every bit a service bureau, or any similar means.
      3. You lot shall not distribute admission to the Service, in whole or in any role, to any third party or parties. You shall not permit sublicensing, leasing, or other transfer of the Service.
      4. You shall not (a) interfere with or disrupt the integrity or performance of the Service or third-party data contained therein, (b) attempt to gain unauthorized admission to the Service or its related systems or networks, (c) allow straight or indirect access to or use of the Service in a way that circumvents a contractual usage limit, or (d) access the Service in order to build a competitive product or service.
   4. License Grant by You. Y'all grant to Venafi and its affiliates, as applicative, a worldwide, limited-term license to host, copy, transmit and display Your Data as necessary for Venafi to provide the Service in accord with this Agreement. Subject to the limited licenses granted herein, Venafi acquires no correct, championship or interest from You or whatsoever of Your suppliers or licensors under this Agreement in or to Your Data.
3. Ownership
   1. Venafi Materials. Venafi and/or its suppliers have and shall retain ownership of all correct, championship and interest in and to the Service and the Documentation and all intellectual property rights embodied in the Service and Documentation, including without limitation any patents, copyrights, trademarks and trade secrets in the Service and any modifications and/or derivatives thereof, whether or not made at Licensee's asking, and all know-how, concepts, methods, programming tools, inventions, and computer source code developed past Venafi (collectively, "Venafi Materials").
   2. Express Feedback License. You hereby grant to Venafi, at no charge, a non-sectional, royalty-gratis, worldwide, perpetual, irrevocable license under Your intellectual belongings rights in and to suggestions, comments and other forms of feedback ("Feedback") regarding the Service provided by or on behalf of You to Venafi, including Feedback regarding features, usability and apply, and bug reports, to reproduce, perform, display, create derivative works of the Feedback and distribute such Feedback and/or derivative works in the Service. Feedback is provided "as is" without warranty of any kind and shall non include any of Your confidential data.
4. Disclaimer of Warranties
   1. EXCEPT AS EXPRESSLY SET Forth IN THIS Section four, THE SERVICE AND DOCUMENTATION ARE PROVIDED "As-IS," WITH "ALL FAULTS" AND "Equally Bachelor," WITHOUT WARRANTY OF Any KIND, EITHER EXPRESS OR Implied, INCLUDING, BUT Non LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, Fitness FOR A Item PURPOSE, TITLE, ACCURACY, RELIABILITY, OR NONINFRINGEMENT WHETHER ARISING FROM Class OF DEALING, USAGE, TRADE PRACTICE OR Any OTHER MANNER. VENAFI IS Non OBLIGATED TO PROVIDE Whatever UPDATES, UPGRADES OR TECHNICAL Support FOR THE SERVICE. VENAFI DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR Whatsoever Damage OR Amercement CAUSED By Whatsoever THIRD-Party HOSTING PROVIDERS. In no upshot does Venafi warrant that the Service is mistake gratuitous or that You will be able to operate the Service without problems or interruptions. Some jurisdictions practise not allow the exclusion of implied warranties and to the extent that is the case the to a higher place exclusion may not apply.
5. Limitation of Liability
   1. IN NO Result Volition VENAFI OR ITS SUPPLIERS Be LIABLE FOR ANY LOST REVENUE, PROFIT, OR DATA, OR FOR Direct, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR Castigating DAMAGES HOWEVER Caused AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR Inability TO USE THE SERVICE Even IF VENAFI OR ITS SUPPLIERS Have BEEN Advised OF THE POSSIBILITY OF SUCH DAMAGES. Some jurisdictions practise not allow the limitation or exclusion of liability for incidental or consequential damages and to the extent that is the case the above limitation or exclusion may not employ to You.
6. Term and Termination

   This License is effective until terminated equally fix forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may finish this Agreement and/or the License at whatsoever fourth dimension with or without written notice to You lot if Yous fail to comply with whatsoever term or condition of this Agreement or if Venafi ceases to make the Service available to finish users. You may terminate this Agreement at any fourth dimension on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You concur to cease all employ of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce whatsoever rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi volition keep in force afterwards termination.

7. Compliance With Laws
   1. Violation of Laws. You shall not knowingly accept whatever activity or omit to take any activity where the reasonably predictable issue would exist to cause Venafi to violate whatsoever applicative law, dominion, regulation or policy and, to the extent not inconsistent therewith, any other applicable law, rule, regulation and policy.
8. Governing Law

   This Agreement shall be governed by, and any arbitration hereunder shall utilise, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Appurtenances; (c) the 1974 Convention on the Limitation Period in the International Auction of Goods; and (d) the Protocol amending the 1974 Convention, washed at Vienna April 11, 1980.

9. General
   1. This Agreement is bounden on You lot as well every bit Your employees, employers, contractors and agents, and on any permitted successors and assignees. Except if otherwise superseded in writing by a separately executed agreement, this Agreement is the entire agreement between You lot and Venafi with regard to the License granted hereunder, and You agree that Venafi volition not have any liability for any statement or representation fabricated past it, its agents or anyone else (whether innocently or negligently) upon which You relied in entering into this Understanding, unless such statement or representation was made fraudulently. This Understanding supersedes any other understandings or agreements, including, simply non express to, advertising, with respect to the Service. If whatsoever provision of this Understanding is deemed invalid or unenforceable by any country or government agency having jurisdiction, that item provision will exist deemed modified to the extent necessary to make the provision valid and enforceable and the remaining provisions will remain in full force and issue. Should such modification be impractical or denied, You lot and Venafi shall thereafter each have the correct to terminate this Agreement on immediate notice.
   2. Survival. The parties hold that the rights and obligations set forth in the above-referenced Section one (Definitions), 3 (Ownership), 4 (Disclaimer of Warranties), 5 (Limitation of Liability), 6 (Term and Termination), 7 (Compliance with Laws), 8 (Governing Police force), and 9 (General) shall survive the termination of this Agreement for any reason and enforcement thereof shall not be subject to any conditions precedent.
   3. Assignment. This Understanding shall be bounden upon and inure to the benefit of the parties' respective successors and permitted assigns. You lot shall not assign this Understanding or any of Your rights or obligations hereunder without the prior written consent of Venafi and any such attempted consignment shall exist void.

Asus Live Update Utility 3.6 8,

Source: https://www.venafi.com/blog/criminals-modified-asus-live-update-utility-deliver-backdoor-1m-people

Posted by: orourkealateve.blogspot.com

Share this post