Here is an interesting combination of countries.
Multi-billion dollar Taiwan based computer make Asus makes a wide range of computers sold worldwide.
Russian anti-virus maker Kaspersky, whom the White House says is a threat to national security and should be banned (which I basically think is mostly true), identified that hackers attacked Asus’s software update mechanism and told US computer users (and other countries) that their computers were infected with malware.
How did it happen? Hackers hacked Asus’ software update system and got Asus to send their customers malware to install.
So is the Russian company outing the Chinese company Asus because they are enemies?
Or is the KGB trying to prove that Kaspersky is not a threat?
Or, is Kaspersky just doing what it’s software it is supposed to be doing.
The fact that the malware was SIGNED with Asus’ encryption key says that the hackers compromised Asus’ internal controls.
The attack was very targeted apparently. Similar to the CCleaner attack, even though the malware was downloaded a million times, only 600 specific MAC addresses on PCs were targeted.
One VERY IMPORTANT point here. According to Kaspersky, Asus has been very unresponsive to the issue.
So, what do you do?
First of all, my recommendation would be to remove Asus from your approved vendor list now. If they come up with a better story you can always add them back in later. The only way companies will get serious about cybersecurity is if it affects their financials.
That being said, this whole supply chain attack business (think Flame, CCleaner and even NotPetya was delivered as a supply chain attack) is becoming a huge problem and likely not going away any time soon.
This means that companies need to protect themselves.
Creating and implementing a vendor cyber risk management program is a start.
Make sure that you have adequate CYBER insurance.
Next figure out what you exposure is. Are you buying parts (soft or hard) and integrating it into your product or software? You are at a higher risk.
Are you a higher value target (like a tech company, financial services provider, have a lot of customer information, etc.)? That puts you at risk.
While patching is a bit of a band-aid, it is one of the best band-aids that we have today. This means EVERY SINGLE APPLICATION THAT IS INSTALLED ON EVERY SINGLE DEVICE – whether it is a server, desktop, laptop, phone, tablet or thermostat. If it is on your network or talks to your network, it has to be patched fully, Think about how bad patching habits worked out for Equifax.
As I said, this is not going to end soon — it is something that you should apply some think time to. The potential impact on your brand could be very high, depending on your business model.