The response from Asus to a seemingly major compromise of its own PC update software lacks a specific accounting for what happened, raising further questions about the vendor's cybersecurity approach.
On Monday, cybersecurity firm Kaspersky Lab disclosed that Asus' Live Update software was compromised by hackers last year in order to deliver malware to users. The firm estimated that about 1 million users were affected by the malicious update, which was delivered between June and November of 2018. Symantec confirmed the attack on Monday.
Asus responded a day later, saying that it was deploying a fix to its Live Update software along with improved security such as added verifications and encryption. Asus blamed the attack on "Advanced Persistent Threat (APT) groups."
But the response stops short of giving specifics on what happened—such as explaining why the attacks were able to succeed.
Asus did not immediately respond to a request for comment.
Notably, the statement from Asus takes the approach of responding to "media reports" rather than to the attack itself.
The statement also indicates that only a "small number of devices" were affected, seeming to contradict Kaspersky Lab's findings.
Kaspersky Lab said it had so far uncovered more than 57,000 users with the backdoored utility. The firm has referred to the hack, which it's calling "ShadowHammer," as "one of the biggest supply-chain attacks ever."
Asus did appear to agree with Kaspersky Lab's assessment that hackers only meant to target a relatively small number of users with the attack.
In response to the "sophisticated attack," Asus has "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism," the company said in its statement. "We have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."