Published Date: 2019-03-25
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving Asus computers happened between June and November 2018 as reported in Article 82242. 2. The incident was discovered in January as mentioned in Article 82242. 3. Using the information from Article 82242, the estimated timeline for the incident would be between June and November 2018. |
| System | 1. Asus Live Update tool [82194, 82256, 82242] 2. FBI's external email system [121160] |
| Responsible Organization | 1. Hackers compromised Asus's Live Update tool, leading to malware being distributed to Asus computers [82194, 82256, 82242]. 2. The hackers who compromised the Federal Bureau of Investigation's external email system were responsible for sending spam emails with a faked warning of a cyberattack [121160]. |
| Impacted Organization | 1. Thousands of Asus computers were impacted by the software failure incident due to malware being distributed through the Asus Live Update tool [82194, 82242]. 2. More than 1 million Asus computer owners worldwide were potentially affected by the malware distributed through the company's software update system [82256]. 3. The Federal Bureau of Investigation (FBI) was impacted by a software failure incident where hackers compromised the FBI's external email system, sending fake spam emails to thousands of people and companies [121160]. |
| Software Causes | 1. The software failure incident was caused by hackers compromising Asus's Live Update tool to distribute malware to almost 1 million customers [82194]. 2. The hackers were able to deliver malware to over one million Asus computer owners by hijacking the company's software update system [82256]. 3. Hackers took over the Asus Live Update Utility to quietly install malware on devices, leading to the compromise of thousands of Asus computers [82242]. |
| Non-software Causes | 1. The hackers were able to compromise the Federal Bureau of Investigation’s external email system, sending spam emails to potentially thousands of people and companies by exploiting a vulnerability in the FBI portal [Article 121160]. |
| Impacts | 1. The software failure incident involving Asus computers resulted in hackers compromising the company's software update system, leading to malware being distributed to over 1 million Asus computer owners [82194, 82256, 82242]. 2. The compromised Asus update tool allowed hackers to install malware on devices, affecting more than 57,000 users of Kaspersky products and potentially over a million Asus owners worldwide [82242]. 3. The malware attack, known as Operation ShadowHammer, targeted specific devices by checking MAC addresses, with more than 600 MAC addresses identified as potential targets [82242]. 4. The incident raised concerns about supply chain attacks, where hackers exploit trusted relationships to distribute malware, similar to previous incidents like the CCleaner compromise in 2017 [82242]. 5. The software failure incident highlighted the vulnerability of email communications, as hackers were able to send fake emails from the FBI's Law Enforcement Enterprise Portal system to potentially thousands of people and companies [121160]. 6. The FBI confirmed that no actor was able to access or compromise any data or personally identifiable information on the FBI's network, indicating a limited impact in terms of data breach [121160]. |
| Preventions | 1. Implementing robust security measures in the software update platform to prevent unauthorized access and tampering [82194, 82256, 82242]. 2. Conducting thorough security audits and vulnerability assessments regularly on the software update system to detect and address any potential weaknesses [82194, 82256, 82242]. 3. Enhancing authentication mechanisms, such as multi-factor authentication, to ensure that only legitimate updates are distributed to users [82194, 82256, 82242]. 4. Improving monitoring and detection capabilities to identify suspicious activities or unauthorized changes in the software update process [82194, 82256, 82242]. 5. Enhancing communication and collaboration between cybersecurity firms, like Kaspersky Lab and Symantec, and companies like Asus to promptly report and address any security incidents [82194, 82256, 82242]. |
| Fixes | 1. Implementing multiple security verification mechanisms to prevent malicious manipulation in software updates or other means, as done by Asus in the latest version of its Live Update software [82194]. 2. Enhancing end-to-end encryption mechanisms in software architecture to prevent similar attacks from happening in the future, as implemented by Asus [82194]. 3. Conducting thorough investigations, cleaning up systems, and establishing new defenses after a software failure incident, as Asus did in response to the attack [82194]. 4. Developing diagnostic tools for users to check for potential vulnerabilities and providing assistance to affected users to remove security risks, as Asus did after the incident [82194]. 5. Promptly remediate software vulnerabilities upon detection to prevent further exploitation by hackers, as demonstrated by the FBI in response to the compromised external email system incident [121160]. | References | 1. Kaspersky Lab 2. Symantec 3. Motherboard 4. Reuters 5. FBI 6. Spamhaus Project 7. Department of Homeland Security 8. Vinny Troia |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The software failure incident involving hackers compromising Asus computers through the company's own software update tool is not the first time such an incident has occurred. Kaspersky Lab researchers suspect a connection between this incident and a series of mostly thwarted 2017 ShadowPad attacks, as well as the successful use of ShadowPad in the CCleaner compromise [82194]. - Kaspersky Lab researchers also noted similarities in the way the Asus backdoor, the CCleaner backdoor, and other instances of ShadowPad were conceptually designed, indicating a potential link between these incidents [82194]. (b) The software failure incident having happened again at multiple_organization: - The software failure incident involving hackers compromising Asus computers through the company's own software update tool is not isolated to Asus alone. Similar incidents have occurred at other organizations or with their products and services. For example, in 2017, the popular software tool CCleaner was hijacked to install malware on millions of computers, highlighting the risk of supply chain attacks [82242]. - The incident involving hackers compromising the Federal Bureau of Investigation’s external email system with fake emails is another example of a software failure incident affecting a different organization. In this case, the hackers were able to send spam emails to potentially thousands of people and companies by exploiting a vulnerability in the FBI's Law Enforcement Enterprise Portal system [121160]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase: - The incident involving Asus computers being infected with malware was a result of hackers compromising the Asus Live Update Utility, which is a software update platform developed by Asus [82194, 82242]. - Hackers were able to exploit a vulnerability in the Asus Live Update tool to distribute malware to Asus customers by modifying a legitimate Asus update from 2015 and pushing it out to users in the second half of 2018 [82194]. - The compromised software update contained a "backdoor" that allowed hackers to access infected machines, indicating a failure in the design and security of the software update platform [82256]. - The attackers were able to sign the tainted software with a real Asus certificate, making it appear legitimate and trustworthy to users, highlighting a flaw in the design and verification mechanisms of the software update process [82194]. (b) The software failure incident related to the operation phase: - The operation phase failure in this incident was due to users unknowingly accepting and installing the compromised software update from Asus, leading to their devices being infected with malware [82194, 82242]. - The compromised software update was distributed to over 1 million Asus machines, with more than 57,000 users downloading and installing the update, showcasing the impact of the operation phase failure in allowing the malware to spread widely [82242]. - The malware was programmed to check the MAC addresses of infected devices, indicating that the operation phase failure allowed the malware to selectively target specific machines for further attacks [82194]. - The incident highlighted the vulnerability of software supply-chain attacks, where hackers can exploit the distribution base of a product to quickly and widely spread malware, emphasizing the importance of secure operational practices in software updates [82194]. |
| Boundary (Internal/External) | within_system, outside_system | (a) The software failure incident related to the Asus computers being infected with malware through the company's own update tool can be categorized as within_system. The incident occurred due to hackers compromising Asus's Live Update Utility to install malware on devices [82194, 82242]. The compromised system was an unclassified server used by FBI personnel to communicate outside of the organization, and the hackers didn't appear to have gained access to internal databases containing state secrets or classified information [121160]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident involving Asus computers being infected with malware was due to hackers compromising the Asus Live Update Utility to quietly install malware on devices [82242]. - Hackers were able to deliver malware to over one million Asus computer owners by hijacking the company's software update system, allowing them to distribute a software update with a "backdoor" that provided access to infected machines [82256]. - The attack on Asus computers was carried out by hackers who took advantage of Asus' legitimate security certificate to infect devices without raising red flags [82242]. (b) The software failure incident occurring due to human actions: - The software failure incident involving Asus computers being infected with malware was a result of hackers actively compromising the Asus Live Update Utility to distribute malware to customers [82194]. - The hackers behind the attack on Asus computers modified a real Asus update from 2015 before pushing it out to customers in the second half of 2018 [82194]. - The compromised system used by the FBI to send spam emails was an unclassified server used by FBI personnel to communicate outside the organization, indicating a breach caused by human actions [121160]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - The software failure incident reported in the articles did not occur due to contributing factors originating in hardware. The incident was specifically related to hackers compromising Asus's software update system to distribute malware to Asus computers [82194, 82256, 82242]. (b) The software failure incident occurring due to software: - The software failure incident reported in the articles occurred due to contributing factors originating in software. Specifically, hackers were able to deliver malware to Asus computer owners by hijacking the company's software update system, leading to the distribution of a compromised software update with a "backdoor" that gave hackers access to infected machines [82194, 82256, 82242]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident reported in the articles is malicious in nature. Hackers compromised Asus's Live Update tool to distribute malware to almost 1 million customers by inserting a backdoor into the software update platform [82194, 82256]. The attack involved modifying a legitimate Asus update and signing it with a real Asus certificate to make it appear trustworthy, allowing the malware to be distributed widely. The malware was programmed to check for specific MAC addresses on targeted devices and download a second-stage payload for a deeper attack on those machines [82194]. The incident is part of a series of supply-chain attacks linked to a group known as Barium, which has been involved in similar attacks in the past [82194]. (b) The software failure incident was not non-malicious. It was a deliberate attack by hackers who exploited vulnerabilities in Asus's software update system to distribute malware to a large number of users, indicating malicious intent to compromise the security and integrity of the affected devices [82194, 82256]. |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident: - The software failure incident involving Asus computers being infected with malware through the company's own update tool was a result of poor decisions made by hackers who compromised the Asus Live Update Utility to install malware on devices [82194, 82242]. - The hackers took advantage of Asus' legitimate security certificate to infect devices without raising red flags, indicating a deliberate and malicious intent to exploit a trusted relationship for nefarious purposes [82242]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development_incompetence: The software failure incident involving Asus computers being infected with malware through the company's own update tool was a result of hackers compromising the Asus Live Update Utility. The hackers were able to take over the update tool and install malware on devices, affecting thousands of users [82242]. (b) The software failure incident occurring accidentally: The software failure incident involving hackers compromising the Federal Bureau of Investigation’s external email system and sending spam emails was not due to any actor accessing or compromising data on the FBI's network. The incident was quickly remediated after the FBI learned of the vulnerability in the system, indicating that the attack was not intentional but rather a result of hackers exploiting a vulnerability in the FBI portal [121160]. |
| Duration | temporary | The software failure incident related to the Asus computers being infected with malware through the company's own update tool was temporary. The incident took place between June and November 2018 [Article 82242]. The attack was discovered in January after hackers took over the Asus Live Update Utility to install malware on devices [Article 82242]. The compromised Asus update affected more than 57,000 users of Kaspersky products [Article 82242]. The incident was remediated by fixing the vulnerability in the latest version of the Live Update tool [Article 82242]. Additionally, the software failure incident related to the FBI's external email system being compromised by hackers sending spam emails was also temporary. The incident occurred on a Saturday, and the FBI quickly remediated the software vulnerability once they learned of the incident [Article 121160]. The compromised system was an unclassified server used by FBI personnel to communicate outside the organization, and the hackers did not gain access to internal databases containing state secrets or classified information [Article 121160]. |
| Behaviour | omission, value, other | (a) crash: The software failure incident reported in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident involves omission where the system omits to perform its intended functions at an instance(s). In this case, hackers compromised Asus's Live Update tool to distribute malware to almost 1 million customers by delivering a software update with a "backdoor" that would give hackers access to infected machines [82194, 82256, 82242]. (c) timing: The software failure incident does not involve a timing failure where the system performs its intended functions correctly but too late or too early. (d) value: The software failure incident involves a value failure where the system performs its intended functions incorrectly. The compromised Asus update contained malware that infected thousands of Asus computers, leading to security risks for the affected users [82194, 82256, 82242]. (e) byzantine: The software failure incident does not involve a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The software failure incident also involves a supply-chain compromise, where hackers took advantage of Asus' legitimate security certificate to infect devices without raising red flags. This highlights the vulnerability of email communications and the potential for nefarious purposes when trusted accounts are compromised [121160]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving Asus computers being infected with malware through the company's own update tool resulted in a significant impact on users' property. The malware distributed through the compromised update tool potentially affected over a million Asus owners worldwide, with more than 57,000 users of Kaspersky Lab products and at least 13,000 computers identified by Symantec being impacted. The attackers were able to infect devices without raising red flags by using Asus' legitimate security certificate, leading to concerns about the security of users' data and devices [Article 82194, Article 82242]. |
| Domain | information, finance, government | (a) The failed system was related to the information industry, specifically the software update system of Asus computers that was compromised by hackers to distribute malware to customers [82194, 82256, 82242]. (h) The failed system incident also has implications for the finance industry as it involved a supply-chain compromise that could potentially impact financial transactions and security [82194, 82256, 82242]. (l) The government sector was affected by the software failure incident as hackers compromised the Federal Bureau of Investigation’s external email system, sending spam emails to potentially thousands of people and companies [121160]. |
Article ID: 82194
Article ID: 82256
Article ID: 82242
Article ID: 121160