ASUS Update Service Allegedly Spreads Malware After MitM Attack

None of the technology firms in existence today wants to be associated with nefarious activity. In the real world, however, it is not as easy to avoid such situations. For ASUS, its update mechanism has fallen victim to more abuse by criminals. Through this service, hackers were able to install backdoor malware on target PCs.

ASUS Faces Another PR Problem

On the one hand, it is commendable to see PC manufacturers offer an update system to keep their clients’ computers protected. It is convenient and appreciated by consumers all over the world. Unfortunately, such services will also attract a lot of unwanted attention. ASUS knows this all too well, as it is not the first time the company’s update system is attacked.

Earlier this week, it became apparent ASUS’ live update service was offering some rather unusual software. Eset researchers confirmed the service was actively distributing malware which can be used to gain backdoor access to infected computers. The exact attack vector remains unclear, albeit a router-level man-in-the-middle attack to breach insecure HTTP connections may be partially to blame.

Additionally, there are some concerns as to how received files are authenticated before they’re executed on the user’s computer. Under normal circumstances, such a code-signing process should prove to be rather foolproof. In the case of ASUS, there are some lingering questions as to whether or not something may be amiss in that regard. Regardless of the outcome, the Plead malware is actively distributed through ASUS’ update service.

The choice for distributing this particular malware is a bit unusual. Plead is primarily used to target private firms and government agencies across all of Asia. It has been distributed in many different ways, including the use of fake code-signing certificates from D-Link. Spear phishing and exploitable routers have also proven to be successful methods of distribution.

According to Eset’s researchers, there is a man-in-the-middle vulnerability which plagues ASUS Webstorage software. It is uncertain why the technology company uses non-HTTPS connections for the requests and delivery of updates in 2019. It seems that decision has left the service vulnerable to attack, which has now been officially exploited. It is important to note ASUS’ network was never breached, but one of their services may need to be revised sooner rather than later.

Interestingly enough, it would appear ASUS Cloud was well aware of an issue affecting its WebStorage service. Back in April of 2019, the update server was shut down temporarily to stop a different kind of attack. It is unclear if both incidents are related to one another. Two major problems affecting the same service in little over a month is particularly worrisome. There is still a lot of explaining to do at this time.