+1.877.297.7816
Contact Us

Learning from a
backdoor attack:
the takeaways of
Operation
ShadowHammer

Author: Mark Stone

In January 2019, it was discovered that users of Asus Live Update, a preinstalled utility that delivers software updates to Asus computers, were impacted by a backdoor attack. In March 2019, Motherboard reported on Operation ShadowHammer, a cyberattack that targeted users of Asus Live Update, a preinstalled utility that delivered software updates to Asus computers.

More than 57,000 users installed the infected version of the utility on their machines, but it's estimated that the infected software had been distributed to more than 1 million people.

What happened?

Operation ShadowHammer was a classic backdoor attack: It breached victims' networks and installed programs to enter and exit the network at will. It's also an example of a supply chain attack, which targets the less secure elements of a company's supply chain network, such as software vendors and third-party suppliers.

To facilitate the attack, hackers altered an old version of the Asus Live Update Utility software and distributed their modified version to Asus computers around the world. The software looked legitimate: It was signed with legitimate Asustek certificates, it was stored on official servers, and it was even the same file size. Once planted, the backdoor program gave the attackers control of the target computers through remote servers, letting them install additional malware.

Wired traces the attacks back to a Chinese hacker group known as Barium. Barium is known to deploy advanced persistent threat attacks, which often remain undetected well after the initial infection.

The damage so far

Sophisticated supply chain attacks aren't new threats.

In July 2017, the ShadowPad supply chain attack implanted backdoors on corporate networks worldwide; it's thought that the ShadowPad and ShadowHammer attacks are linked. Researchers at Morphisec reported in September 2017 an attack in which hackers inserted a back door into the code of the security application CCleaner that rerouted more than 2 million users to an attacker-controlled server.

Then there's the notorious Nyetya/NotPetya attack, a destructive ransomware attack that hit Ukraine and then spread internationally. A Talos investigation reported that the campaign started as a supply chain attack against the servers that pushed updates to the Ukrainian accounting software M.E.Doc. In this attack, attackers created ransomware resembling a software update that launched when users tried to install it.

What can businesses do?

Back doors can be difficult to close once they've been opened.

To defend against a backdoor attack, your IT and security departments must be diligent in setting up firewall rules that control inbound and outbound third-party connections. You should know which connections are normal, where those connections are coming from and where they're going, and who or what should have access to your network.

Analyze your firewall rules that scrutinize inbound connections. Artificial intelligence could provide further protection by identifying abnormal network behavior that goes undetected by the human eye.

In today's chaotic threat landscape, managing your firewalls and network connections is becoming increasingly complicated. But you don't have to go it alone.

Learn how Verizon’s security solutions can help you protect your organization.