Tag Archives: Asus

Hackers Breach Asus Routers and Include “Bonuses” When You Buy Access

The FBI has been tipped to a hack of around 130,000 Asus routers, details of which are available on the dark web – for sale.

To incentivize the sale, the crook has scored each router as to how useful it might be to launch attacks.

Access to these devices is being sold for as little as a few bucks per device, so that hackers illegal activities will trace back to your house and you get to explain to the FBI that it wasn’t you when they come visit.

But, as Ron Popeil used to say (if you are old enough to remember him – otherwise use Google), but wait, there’s more.

To incentivize crooks to buy his credentials, he is bundling the credentials with information on 500,000 Americans.

If that weren’t enough, he is also including a database full of credit card information.

This way the hacker can match YOUR router to YOUR credit card and YOUR personal information.  MUCH less likely to raise any red flags anywhere.

The data is available on a Russian web site, so there is zero chance that the feds can get the data taken down.  They could, of course, try to hack it, but that may or may not work.

The whole idea is to create a scenario that is low risk.  Routers that have not been used for much fraud, personal information and stolen credit cards.  A bit of a crook’s trifecta.

From a victim’s standpoint —

  1. If you have an Asus router, make sure the firmware is up to date
  2. Check your router to see if there are any user names added that are not supposed to be there
  3. Change the password on the router to something which is long and hard for a hacker to guess
  4. If you can, watch your router’s logs
  5. Finally, watch your credit cards for fraud

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.

 

Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register

 

The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.

 

Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.

 

More Supply Chain Woes, Courtesy of Asus

Here is an interesting combination of countries.

Multi-billion dollar Taiwan based computer make Asus makes a wide range of computers sold worldwide.

Russian anti-virus maker Kaspersky, whom the White House says is a threat to national security and should be banned (which I basically think is mostly true), identified that hackers attacked Asus’s software update mechanism and told US computer users (and other countries) that their computers were infected with malware.

How did it happen?  Hackers hacked Asus’ software update system and got Asus to send their customers malware to install.

Nice!

So is the Russian company outing the Chinese company Asus because they are enemies?

Or is the KGB trying to prove that Kaspersky is not a threat?

Or, is Kaspersky just doing what it’s software it is supposed to be doing.

The fact that the malware was SIGNED with Asus’ encryption key says that the hackers compromised Asus’ internal controls.

The attack was very targeted apparently.  Similar to the CCleaner attack, even though the malware was downloaded a million times, only 600 specific MAC addresses on PCs were targeted.

One VERY IMPORTANT point here.  According to Kaspersky, Asus has been very unresponsive to the issue.

So, what do you do?

First of all, my recommendation would be to remove Asus from your approved vendor list now.  If they come up with a better story you can always add them back in later.  The only way companies will get serious about cybersecurity is if it affects their financials.

That being said, this whole supply chain attack business (think Flame, CCleaner and even NotPetya was delivered as a supply chain attack) is becoming a huge problem and likely not going away any time soon.

This means that companies need to protect themselves.

Creating and implementing a vendor cyber risk management program is a start.

Make sure that you have adequate CYBER insurance.

Next figure out what you exposure is.  Are you buying parts (soft or hard) and integrating it into your product or software?  You are at a higher risk.

Are you a higher value target (like a tech company, financial services provider, have a lot of customer information, etc.)?  That puts you at risk.

While patching is a bit of a band-aid, it is one of the best band-aids that we have today.  This means EVERY SINGLE APPLICATION THAT IS INSTALLED ON EVERY SINGLE DEVICE – whether it is a server, desktop, laptop, phone, tablet or thermostat.  If it is on your network or talks to your network, it has to be patched fully,  Think about how bad patching habits worked out for Equifax.

As I said, this is not going to end soon — it is something that you should apply some think time to.  The potential impact on your brand could be very high, depending on your business model.

Source: Motherboard.  To see if your computer is infected, check out this Wired article.

 

 

FTC Settles With Asus Over Security Claims

Asus is an international manufacturer of all kinds of computer and networking equipment.

The FTC, in this case, was not upset with Asus for making hardware that was buggy and not secure, thereby exposing customer’s information, but rather representing that their routers had numerous security features that could protect users from unauthorized access and hackers when it was buggy and not secure.

In fact, under section 5 of the FTC act, as the Wyndham Hotel chain discovered, they could probably have brought an action in either case, but it is much clearer that saying it was secure when it was not is deceptive.

According to the FTC,

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

The press release goes on to talk about some of the vulnerabilities and the fact that Asus did not address them in a timely or effective manner and did not notify consumers of the vulnerabilities.

Hopefully, this will act as a warning to manufacturers of Internet of Things devices that they better maintain reasonable security or the FTC will explain to them that they should.

In the agreement, Asus agreed to create a security program, have that program watched by the FTC for the next TWENTY years, to notify consumers of security flaws and workarounds for those flaws until they are patched and let the FTC audit them every two years during that period.

For those in the IoT space, doing what is in this agreement without being told will likely keep them out of the cross hairs of the FTC.  The FTC is not expecting IoT devices to be bug free, but they are expecting manufacturers to be responsible.

Manufacturers should consider themselves warned.

 

The FTC press release on the Asus settlement can be found here.