When a platform is attacked, there are well-practiced tools and strategies for response. When a supply chain is attacked, as in the ShadowHammer attack that hit Asus and its customers, remediation can be much more of a challenge.

Dark Reading last week reported on the basics of the attack, and on March 28 Skylight Cyber added to the story by publishing a list of the roughly 600 MAC addresses targeted in the breach. This is a more transparent way of accomplishing a task Kaspersky had published a tool for, in which a specific MAC could be compared against a hidden table of addresses to see whether it was targeted.

The ShadowHammer attack is a case in which attackers used a trusted supplier — which itself was using trusted certificates for authentication — to target a relatively small number of end users.

“Kaspersky’s investigation identified 600 MAC addresses — a unique identifier assigned to each networked device — hard-coded into ASUS’ backdoored update utility. This indicates that the wide-reaching attack was launched for the purpose of targeting a relatively small number of very specific devices,” says Mark Orlando, CTO of Cyber Protection Solutions at Raytheon.

The small number of devices targeted in ShadowHammer is not a factor unique to the attack. “A common thread among many of these supply chain attacks is that, despite having access to a trove of compromised systems at their disposal, attackers have only targeted a smaller subset of those systems,” says Satnam Narang, senior research engineer at Tenable.

One of the aspects of the attack that seems most damaging at this point is the breach of trust in the vendor/customer relationship.

“We plainly see the need for validation of trusted-vendor channels in addition to digital signatures — which, in this case, appears to have further concealed the malicious activity by providing a false sense of integrity — not just for software and platform updates, but any ‘trusted’ vendor network which has access into our environment,” says Colin Little, senior threat analyst at Centripetal Networks.

And if the loss of trust results in reluctance to allow access, there could be even more serious consequences. “This can result in end-user skepticism about applying software updates, which often contain critical security updates that, if left unpatched, could be exploited,” Narang says.

That doesn’t mean channels like update servers should be given network carte blanche. “Organizations should take a hard look at supply chain security, and specifically software update security, in light of this report,” Orlando says.

Because compromised updates can be digitally signed and will likely get past signature-based protection, “the best defenses are a shift towards proactive analysis, e.g. threat hunting, and tougher scrutiny of third-party software,” he says.

Related Content:

• ASUS ‘ShadowHammer’ Attack Underscores Trusted Third-Party Risks
• Cisco Router Vulnerability Gives Window into Researchers’ World
• Citrix Breach Underscores Password Perils
• Security Spills: 9 Problems Causing the Most Stress
• 7 Malware Families Ready to Ruin Your IoT’s Day

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio