Skip to main content

A single hacking group is 'poisoning' legitimate software updates with malware

Pixabay via kalhh. Click for original.

(Image credit: Pixabay via kalhh)

Surfing on seedier corners of the web where malware is known to hang around is obviously risky business, but when it comes to downloading updates for a widely used utility or grabbing a new driver, we take for granted that the manufacturer is pushing out clean code. Unfortunately, that isn't always the case. There is a hacking group that is actively mucking with trusted downloads, and nobody can seem to figure out the group's exact identity.

That latter bit is troubling, though the bigger concern is that no downloads are safe. Users of Asus's Live Update utility recently found that it out when it was discovered that hackers had compromised a version of the software on the company's website, which effectively allowed the culprits to install backdoors on an estimated half a million Windows PCs.

"A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. Asus customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," Asus said at the time.

Asus is not the only victim, though. According to a detailed Wired report, the hacking group that infiltrated Asus is the same one that also infected a previous version of CCleaner, a popular PC cleanup utility.

The hacking group responsible is conducting what are known as supply chain attacks because they exploit the software distribution channel. This is particularly insidious, as customers typically assume that software grabbed directly from the vendor is safe. Supply chain exploits of at least half a dozen companies over the past three years are all believed to have been carried out by the same hacking group.

Security firms have different names for the group. It's mostly known as Barium, though has also been referred to as ShadowHammer, ShadowPad, and Wicked Panda. They all point to the same group.

Supply chain attacks seem to be this group's thing. Not a lot is known about the group, other than it's believed to operate out of China. It could be a single individual (unlikely), a few individuals, a lot of hackers. Researchers just don't know.

"They're poisoning trusted mechanisms," Kaspersky told Wired. "They're the champions of this. With the number of companies they've breached, I don't think any other groups are comparable to these guys."

What's odd is that despite the potential to dole out mass damage, the group seems to be focused on smaller targets. For example, out of the 600,000 machines researchers say were affected by the breach at Asus, the malware filtered out targets based on MAC addresses to just 600 machines. And with CCleaner, only around 40 computers out of 700,000 that were infected received a follow-up piece of malware.

Other than the group's exact identity, there is a lot that researchers don't know at the moment, including how the hackers are able to infiltrate so many companies, what the group's ultimate goal is, and who exactly they might be targeting (and why).

What's also concerning is the potential to do a lot more damage. Silas Cutler, a researcher at Chronicle, has been tracking Barium. He told Wired that the group could unleash a "far more devastating" attack than NotPetya, a Russian cyberattack that caused record $10 billion in damages. All Barium would have to do is deploy a ransomware worm through one of these attacks, Silas says.

The nature of a supply chain attack makes it difficult to avoid being infected, outside of never updating your software. That is dangerous in and of itself, though. Your best bet is to stay diligent with frequent antivirus scans, and never assume that anything you download is safe, no matter where it came from.