In what Kaspersky Lab is calling "one of the biggest supply-chain attacks ever," an estimated one million PCs made by Asus received a malicious software update that was distributed through legitimate channels, the cybersecurity firm said.
Kaspersky Lab says that cybercriminals compromised the Asus Live Update Utility, which provides BIOS, UEFI and software updates to Asus PCs.
"The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time," Kaspersky Lab wrote in a blog post.
Taiwan-based Asus did not immediately respond to a request for comment.
The malicious update was reportedly delivered to users between June and November of 2018.
Kaspersky Lab said it has uncovered more than 57,000 users with the backdoored utility, and the firm estimates that about 1 million users were affected in total. The hackers had only meant to target 600 specific users, according to the firm.
In a statement to CRN, cybersecurity firm Symantec said it "can confirm the ASUS software supply chain attack."
Based on Symantec's analysis, trojanized updates "were deployed by ASUS’ live update server between June and late October 2018. These updates were digitally signed using two certificates from ASUS," Symantec said in the statement.
Kaspersky Lab—which has dubbed the Asus attack "ShadowHammer"—said that three other vendors have been attacked using the same techniques, but did not disclose the names of the other vendors.