DHS alert: Asus offers patch for hijacked Live Update Windows 10 utility

Taiwan-headquartered computer maker Asus has rushed out a security update after it was discovered the company’s Live Update utility software was hijacked to infect a small group of targets. 

Researchers at Kaspersky Lab flagged the poisoned update on Monday and estimated that one million Asus customers had installed the company’s software for delivering driver and firmware updates.

Despite affecting a million users, Kaspersky Lab researchers found that the malware only targeted 600 computers with specific network MAC addresses that was hardcoded in the malware. The company said several other computer manufacturers were also targeted. 

Asus ships the proprietary utility as pre-installed software with its notebooks to ensure consumers have current driver and firmware updates. It’s also available for download from its official website.  

“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” Asus said in a statement. 

The company says it has been reaching out to customers to help them remove the tainted software. 

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), alerted Asus' Windows 10, Windows 8.1 and Windows 7 users to the patched update on Tuesday, noting the vulnerabilities were remotely exploitable and already under attack. 

CISA also urged users and enterprise IT admins to review Asus’ questions page about the issue. 

“ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system. These vulnerabilities were detected in exploits in the wild,” CISA said.   

The malware evaded antivirus by being signed with legitimate digital certificates that used names like “ASUSTeK Computer Inc”. The malicious updaters were hosted on Asus’ servers. 

Asus says it implemented “multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism.”

It’s also done some work to harden the servers it users to deliver software to customers in order to future attacks using its infrastructure, and created an online tool to check for consumers to check whether they’re impacted by the attack. 

The Asus attack was revealed as Microsoft disclosed a vulnerability affecting Huawei’s PC Manager, a device management software for Huawei MateBook laptops. Microsoft warned that kernel drivers from hardware makers are becoming an attractive target because they can be abused bypass mitigations in the Windows kernel.  

“Computer manufacturers usually ship devices with software and tools that facilitate device management,” explained Amit Rapaport of the Microsoft Defender research team.

“These software and tools, including drivers, often contain components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel; even one flawed component could become the Achilles’ heel of the whole kernel security design.”