The revelation by Kaspersky Lab and confirmed by Symantec, both global cybersecurity provider, that hackers 'hijacked' and injected malware into the computer maker's software update system sending updates infected with malware from them to the one million-plus ASUS computer owners in 2018 was indeed frightening.
Cybersecurity professionals and providers all over have always and consistently advocates that all computer users consistently and continuously update their software as per the instruction issued by the developers and manufacturers as these updates comprised mainly of patches for vulnerabilities discovered by the developers and manufacturers.
With this revelation, do we still continue with the updates issued by the developers?
The updates issued by ASUS were legitimate and were NOT fake updates or phishing/spam issued by hackers. Hackers 'planted' malwares into these update notices which were issued legitimately. The responsibility herein appears to lie with ASUS.
All ASUS computers out in the market now appears to be infected with the malware.
ASUS in a statement issued on 26 March 2019 said the following:-
The software update is the ASUS Live Update software which is a pre-installed utility on most ASUS notebooks that's used to automatically update components such as BIOS, drivers and applications.
A small number of devices have been implanted with malicious code in an attempt to target a very small and specific user group and not the million as claimed by Kaspersky. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
ASUS has implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, as well as introduced multiple security verification methods, and enhanced its end-to-end encryption mechanism.
ASUS have also updated and strengthened its server-to-end-user software architecture to prevent similar attacks from happening in the future.
Kaspersky also mentioned that the attack apparently happened somewhere between June to November 2018. Kaspersky claimed they informed ASUS of the malware in January 2019. ASUS said it will issue a statement on 26 March 2019. Why the time lag of 3 months?
Based on this claim, it appears that ASUS was NOT aware that their software update was infected with malware. Despite being informed by Kaspersky in January 2019, ASUS did not acknowledge the matter publicly nor did it take steps to inform the owners of ASUS computers on the possibility of their computers being infected by malware. This appears to be a serious breach of corporate responsibility bordering on negligence.
Should all these users STOP using their ASUS computers and if so, what is their recourse / alternatives?
Their computers could have stored valuable information / data and now there is a possibility that the hackers could have access to these valuable information and make use of them. Neither Kaspersky nor Symantec or ASUS confirmed the type of malware that was injected. Is it a 'man in the middle' or a Trojan type? if so, how does ASUS fix able to detect and weed out these?
What about those organisations that uses ASUS computers for their entire network? What is the remedy for them?
What about the supply chain that are linked to these organisations? Would they be similarly affected by the malware?
ASUS's response is akin to a patient that was infected with a virus. The patient has been walking and going around his daily life without any side effects as the virus has yet to attack his body systems. But the virus works in mysterious ways - it started to infect every organ in the patient's body, affecting the functionality of each of the organ albeit in a slow motion way. ASUS found out that the virus was transmitted to the patient via one of their products. Now ASUS prescribed antibiotics to the patient with the view of 'killing off' the virus.