In brief: Security researchers report that the hacker group BlackTech has been deploying the Plead malware using router-level MitM attacks in Taiwan. The group is apparently using a weakness in Asus WebStorage software to upload the malware bypassing authentication.
According to security researchers with Eset, hackers have been exploiting Asus’ WebStorage software to install backdoors on victims’ computers. The malware used is called Plead and is primarily deployed by the hacker group known as BlackTech, which mainly targets Asian governments and firms with cyber-espionage attacks. Eset detected the illicit activity in Taiwan where the malware is most active.
Usually, the malicious software is distributed via phishing attacks. However, this time, researchers noticed a process called AsusWSPanel.exe was activating the Plead backdoor. The program is a legitimate part of Asus’ cloud-storage client WebStorage.
The researchers believe hackers are using a router-level man-in-the-middle attack.
“The ASUS WebStorage software is vulnerable to this type of attack,” says Eset’s Anton Cherepanov. “Namely, the software update is requested and transferred using HTTP. Once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”
Plead will use compromised routers as command and control servers for the malware. Most of the organizations that have been attacked use the same brand of routers with admin settings accessible via the internet.
“Thus, we believe that a MitM attack at the router level is the most probable scenario,” says Cherepanov.
"In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection."
Eset says that another possibility is that the bad actors are using a supply-chain attack. This type of breach occurs within the manufacturer’s supply chain, where security measures may be lax. However, the researchers say that while this vector is possible, it is far less likely.
Cherepanov offers this advice: “It is very important for software developers to not only thoroughly monitor their environment for possible intrusions but also to implement proper update mechanisms in their products that are resistant to MitM attacks.”
TechSpot has reached out to Asus regarding its awareness of the situation. The company issued the following statement:
"ASUS Cloud first learned of an incident in late April 2019, when we were contacted by a customer with a security concern. Upon learning of the incident, ASUS Cloud took immediate action to mitigate the attack by shutting down the ASUS WebStorage update server and halting the issuance of all ASUS WebStorage update notifications, thereby effectively stopping the attack.
"In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection. This will prevent similar attacks in the future. Nevertheless, ASUS Cloud strongly recommends that users of ASUS WebStorage services immediately run a complete virus scan to ensure the integrity of your personal data."