1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Hackers exploit Asus cloud storage to install Plead backdoor on PCs

By Cal Jeffrey
May 16, 2019 at 4:50 PM
Post New Reply
  1. According to security researchers with Eset, hackers have been exploiting Asus’ WebStorage software to install backdoors on victims’ computers. The malware used is called Plead and is primarily deployed by the hacker group known as BlackTech, which mainly targets Asian governments and firms with cyber-espionage attacks. Eset detected the illicit activity in Taiwan where the malware is most active.

    Usually, the malicious software is distributed via phishing attacks. However, this time, researchers noticed a process called AsusWSPanel.exe was activating the Plead backdoor. The program is a legitimate part of Asus’ cloud-storage client WebStorage.

    The researchers believe hackers are using a router-level man-in-the-middle attack.

    “The ASUS WebStorage software is vulnerable to this type of attack,” says Eset’s Anton Cherepanov. “Namely, the software update is requested and transferred using HTTP. Once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

    Plead will use compromised routers as command and control servers for the malware. Most of the organizations that have been attacked use the same brand of routers with admin settings accessible via the internet.

    “Thus, we believe that a MitM attack at the router level is the most probable scenario,” says Cherepanov.

    "In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection."

    Eset says that another possibility is that the bad actors are using a supply-chain attack. This type of breach occurs within the manufacturer’s supply chain, where security measures may be lax. However, the researchers say that while this vector is possible, it is far less likely.

    Cherepanov offers this advice: “It is very important for software developers to not only thoroughly monitor their environment for possible intrusions but also to implement proper update mechanisms in their products that are resistant to MitM attacks.”

    TechSpot has reached out to Asus regarding its awareness of the situation. The company issued the following statement:

    "ASUS Cloud first learned of an incident in late April 2019, when we were contacted by a customer with a security concern. Upon learning of the incident, ASUS Cloud took immediate action to mitigate the attack by shutting down the ASUS WebStorage update server and halting the issuance of all ASUS WebStorage update notifications, thereby effectively stopping the attack.

    "In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection. This will prevent similar attacks in the future. Nevertheless, ASUS Cloud strongly recommends that users of ASUS WebStorage services immediately run a complete virus scan to ensure the integrity of your personal data."

    Permalink to story.

     
  2. Lionvibez

    Lionvibez TS Evangelist Posts: 1,438   +601

    “Namely, the software update is requested and transferred using HTTP. Once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

    Da Faq Asus no HTTPS really?
     
  3. slamscaper

    slamscaper TS Addict Posts: 223   +51

    Get your damn act together ASUS!
     
  4. axiomatic13

    axiomatic13 TS Maniac Posts: 209   +145

    Do not ever use that CD that comes with your motherboard. Just don't do it. Get the drivers ONLY from the manufacturer's website. But never use that damn CD and all of its poorly regression tested software.
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...