Language barriers, Lunar New Year and NDA impasse: How ASUS and Kaspersky fell out over Live Update hack

Kaspersky Lab’s dealings with ASUS after revealing the Taiwanese computer brand’s live software update tool was being used to install a malicious backdoor on its customer’s computers were marred by a language barrier, the timing of Lunar New Year and wrangling over a non-disclosure agreement, it has been revealed.

The Russian security firm – whose researchers uncovered the advanced persistent threat campaign – said last week at its Security Analyst Summit in Singapore that it first contacted ASUS about the attack on January 29, in the midst of the Chinese New Year celebrations.

“They expected some greetings for the new year, instead we reported a big, big problem,” said Kaspersky Lab’s Global Research and Analysis Team (GReAT) APAC director Vitaly Kamluk.

In the weeks following, Kaspersky provided ASUS with its findings about the attack – dubbed ShadowHammer – in a number of face to face meetings and conference calls.

“The whole thing happened at a very unfortunate time, it was just before the Lunar New Year – for us in Europe it doesn’t mean anything, but over here and in the region it’s a big thing. People take vacations. Of course this is a serious thing and maybe we ruined some people’s vacations, I’m sure of that,” GReAT director Costin Raiu told CIO Australia.

Costin Raiu details ShadowHammer at Kaspersky Lab security summit. Suhaimi Abdullah/Getty Images

During virtual and in-person meetings on January 31, February 14 and 20, communication suffered due to a lack of a shared language. In similar cases – such as the ShadowPad supply-chain attack made through South Korean firm NetSarang’s software – Kaspersky had a native Korean speaker.

“It’s different than having information through a translator translating, it adds an additional barrier in the communication,” Raiu explained.

Push to go public

Although ASUS provided Kaspersky with relevant update archives and information, the company was reticent to go public with the attack. ASUS did not respond to questions about its response to the attack in multiple emails and calls at the time of publication.

“There was a discussion of course; what happens next. Normally we inform victims andhellip;we encourage them to go public first, together with us to explain what happened, explain what actions have been done, and how big is the problem, whether it was contained or not,” Kamluk said.

With NetSarang, for example, a joint press release went out with comment from both companies and apologies from the vendor.

“We of course explained this to them. We offered our help and assistance in investigatinghellip; They said they need time to think about the strategy,” Kamluk added.

Kaspersky itself held back initially as it wanted to first understand more about the nature and extent of the APT, and not cause unnecessary “panic around the world”.

“It’s possible the attackers are still in the ASUS networks and we won’t achieve anything, they might send a wiper to everybody and very quickly, overnight wipe a million computers,” said Raiu.

Raiu confirmed that ASUS had wanted Kaspersky to sign a non-disclosure agreement. While that is common practice when dealing with supply chain attacks, the NDA would have stopped Kaspersky from revealing anything about the attack, Raiu said.

“We felt we had a duty to go public with information about the attack because so many people were affected and an NDA would have prevented us from going publichellip;we thought it’s in the public interest to make the information available,” Raiu said.

One may be signed in the near future, however.

“Up to this moment we haven’t signed it yet is the correct interpretation,” Raiu added.

With any risk of ShadowHammer being a false positive now gone, and confident the attack had ended by November 2018, Kaspersky continued to push ASUS to alert customers.

Vitaly Kamluk shares ShadowHammer findings at Kaspersky security summit. Suhaimi Abdullah/Getty Images

“I told them that it is something that cannot be silenced,” Kamluk said. “We told them we will blacklist your certificate and people will see it in alerts. There will be security researchers asking about this, it will be noticed, and there is your name in the certificate that you cannot get rid of, so everybody will know that your compromised and it cannot be silenced.”

“So we went public,” he added.

No thanks

Kaspersky published details of the attack on its SecureList blog and in a story in Motherboard on March 25.

The following day, ASUS published a “response to the recent media reports”. In it the company claimed “only a very small number of specific user group were found to have been targeted” by the attack and that “it is extremely unlikely that your device has been targeted”.

This “small” user group is in reference to the hardcoded list of MAC addresses in the malware, numbering around 600. Once it infected a system with one of the specified MAC addresses, the malware contacted an attacker controlled server to install further malware elements.

Curiously, within ASUS’ response, the company links to a generic web page about APT groups by Kaspersky rival FireEye.

“It’s weird. I expected at least a ‘thank you guys, thank you for reporting’ but there was nothing. Something broke there internally, perhaps someone got angry because we decided to go public earlier, I don’t know,” said Kamluk.

The “weird” response from ASUS is not unusual behaviour from computer-makers, Kamluk said.

“Vendors are normally are quite annoyed by reporting of their security issueshellip;It wasn’t the same with ASUS. They were not aggressive. They didn’t, at least publicly, appreciate our help, they didn’t credit us, but they were not aggressive. They didn’t try to lie. They didn’t try to deny things because other vendors do,” he said.

It is not the first time ASUS has suffered from poor security issues and kept customers in the dark. In 2016 the company settled Federal Trade Commission chargesthat critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk.

The commission said that ASUS “did not address security flaws in a timely manner” nor did it “notify consumers about the risks posed” or alert them to the availability of security updates.

This time around – the day after the Motherboard article– ASUS has implemented a fix in the latest version of its Live Update software. It has also “introduced multiple security verification mechanisms”.

“At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future,” the company said last month.

ASUS and Kaspersky have released diagnostic tools for users to check if their systems are affected. Kaspersky also has a MAC address look-up service, to see if user addresses match those hardcoded in the backdoor code.

The author travelled to the Security Analyst Summitas a guest ofKaspersky Lab.