The recently identified attack on ASUS Live Update software is a real-life case of how a significant systemic event could unfold, with industry agnostic and widespread consequences. Over one million PC's were affected. In this case specific MAC addresses were targeted through hardcoding which limited the scope, although it is clear the impact could have been much bigger. MAC addresses are device-specific identifiers and do not change, making for potentially high value information being sought from those devices. Targeting the supply chain of commonly used hardware (ASUS is the 5th largest PC manufacturer in the world) is a potentially effective way of amplifying the impact of such an attack.
Approximately 500,000 global users were warned and Symantec identified about 13,000 of their own customers impacted by this. The use of legitimate digital certificates made this appear more authentic.
In CyberCube's own scenario development for our Portfolio Manager accumulation management platform, we have considered software updates a material source of concentration risk. This is especially true for those which come from a trusted source, as this did. Had the payload included data-destruction capabilities the potential for systemic loss is clear to see. By attacking a common point of the supply chain, this event shows how the adversaries are often one step ahead.
“We saw the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and they were signed by ASUS,”