Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities and Jake Bernstein, Cybersecurity Council at the law firm of Newman Du Wors. Visit them at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Jake, today, we're going to talk about what cyber risk managers should know about the recent supply chain cyber attack against computer giant ASUS.

Jake Bernstein: All right. What happened?

Kip Boyle: This is a extremely complicated cyber attack and there's no way in the amount of time that we have, and considering our audience, we're not going to drill down into all the nitty gritty details. Suffice it to say, that there's a lot available on the internet. So, if you want to drill in, if you'd like somebody on your team to drill in, it would be very simple for you to go to Kaspersky Labs and you could also go to motherboard.com and there's quite a bit of information out there already. But here's what I think is relevant for our audience to know, so that we can have a good conversation about it.

In January of 2019, Kaspersky Labs, which is an anti-malware company. They sell products to help you detect malware. They discovered that cyber attackers had broken into the servers that belonged to ASUS and ASUS is a large Taiwanese computer maker. They're in fact, they're the fifth largest computer maker in the world. They make desktop computers, laptops, mobile phones, smart home systems, internet routers, all kinds of electronics. And what Kaspersky found is that a two-pronged attack had occurred. Let me describe what those two prongs were and then we'll talk about the impact. Ultimately what this episode is about is what does this mean for our listeners? Because stuff like this hits the headlines all the time and I think our listeners should rightfully be cynical about, "Okay, so it made headlines. But what does it really mean to me? Does this automatically become a top five risk or where is it in my risk universe?"

So, the two-pronged attack. So first once they were inside, the cyber attackers silently, and all this was done silently, by the way. They broke into the developer tools that ASUS's software developers were using and they injected malicious code into the development tools so that they could later on insert more malicious code after the ASUS software was digitally signed.

So, it was a Trojan horse is what they did. So when you downloaded the ASUS updates, whether it was a firm or update or something like that, and you check the digital signature, which is automatically done in most cases, the digital signature would say, "This came from ASUS, so it's clean." But in fact it wasn't clean. There was some code that came down at had malicious code in it and so all of the tools that people were using, defenders were using to check the legitimacy of the code, was completely tricked. So, that's a defense that was defeated ultimately in this attack. That was the first prong.

The second prong of the attack was that the attackers pushed out a malicious version of the ASUS software update tool, but it also had a legitimate digital certificate associated with it and so this software update tool went out to thousands of ASUS customers and it affected up to a million computers.Aall of this went on for at least five months in 2018, until this thing was discovered. The net result of this was a secret backdoor into all the ASUS systems that received this malicious software update tool and if you put those two prongs together, which you realize is that you've got now this kind of a mechanized delivery system where you can, if you're the attacker, you can insert any malicious code you want into any ASUS system that received this attack.

Kaspersky Labs calls it Operation Shadow Hammer. They estimated about 500,000 people received the update. But interestingly enough, by dissecting the malicious code, they found out that the cyber attackers were only targeting about 600 individual computers.

Jake Bernstein: Well, wow. So a couple of reactions to that first, what's with that name, Shadow Hammer?

Kip Boyle: You know, I love how these days, exploits like this, are given really sexy marketing labels on them. I can't remember when this first started happening, but this is a fairly recent thing to do, to turn these things into, what do they call the sound bites. But the idea behind the name is that by silently releasing malicious code, that hits tens of thousands, hundreds of thousands of targets when you're really only going after a few, is kind of like trying to smash something small with a giant hammer. So, shadow hammer. I guess it makes sense.

Jake Bernstein: So, maybe more substantively on the... And this is of course I think speculation on anyone's part, but this seems awfully sophisticated, awfully targeted and very specific and just screams nation-state to me.

Kip Boyle: I think so. Yeah, either nation-state, or maybe nation-state in combination with a very well funded cyber criminal gang. What we're seeing these days is more and more that they're cooperating.

Jake Bernstein: Or industrial espionage. I mean, it depends on who those 600 people were. I mean, this is very specific.

Kip Boyle: It is.

Jake Bernstein: And it doesn't seem clear that we know exactly what they were after.

Kip Boyle: No, it's not clear what they were after yet. I imagine more details will dribble out over time, that typically what happens. But at this point, what we know is it was a target attack, incredibly well planned, well executed. Whoever did it was very patient. They took care to remain silent. Even the people who received the malicious codes while they noticed abnormalities, strange behavior, it wasn't enough to really cause them to suspect that it was a true compromise. They just sort of chalked it up to the kind of weirdness that happens on your computer and then you reboot it and all of a sudden it's gone.

I think cyber attackers really rely on us as targets to search for innocuous explanations for strange behavior and to trivialize the stuff that they don't hide very well.

Jake Bernstein: Right. Well, and I think that this reminds me a bit of NotPetya, which was another supply chain cyber attack, which we haven't really talked about yet, but that's what this ASUS attack was, was a supply chain cyber attack.

Kip Boyle: Exactly.

Jake Bernstein: In the case of NotPetya, the target there was a accounting software package in the Ukraine, that ultimately caused over 10 billion in damages worldwide.

Kip Boyle: Exactly.

Jake Bernstein: I think this highlights the growing threat from so-called supply chain attacks, where malicious software components gets installed on systems as their manufactured or assembled, or afterward via trusted vendor channels, and basically, I mean really it's how Target was hacked back in 2015 or so, and it's becoming more common.

Kip Boyle: Right. This is one of the things that's really important. This is one of the reasons why I felt like we should bring it to our listeners is because what we're seeing with the ASUS attack is a shift, a subtle shift from focusing on implanting malicious code during the manufacturing process of hardware software, and it's a shift now into violating or compromising trusted update channels.

We've started to see it. It's Continuing to happen and I think what we're seeing now is a trend that's going to continue into the future and it insidious, absolutely insidious, just like implanting during manufacturing but once you implant during manufacturing, you're sort of stuck with whatever you put in there is kind of what you're stuck with it. You don't really have the opportunity to continue to manipulate it and deliver new versions.

But this approach here where you compromise a trusted a channel, opens up so much more opportunity for ongoing exploitation and if it's happening to ASUS, if it's happening to accounting packages in the Ukraine, you got to stop and think, oh my goodness. This whole idea of having updates come to us was necessary because the attacks shifted from writing one piece of malware, releasing it, and then having it spread all over the place.

Shifting from that because anti-malware vendors got really good at blocking that and shifting it to zero-day exploits and exploiting systems that didn't have their patches installed.

This is another example of where this arms race, this cat and mouse game here, where we do something to defend ourselves a little bit better and the adversary compromises it and makes it not as trustworthy.

Jake Bernstein: Exactly. I think the real insidious part about that is that we both rely on automatic updates to keep ourselves safe, but yet so doing, we open ourselves up to yet a new vector of attack.

Kip Boyle: That's right. So we have this erosion of trust out of our systems that we've worked really hard to put in place, to train people. Like, yes, you want updates, right? And not only do you want them, but you want to set your computer so that you get them automatically, as soon as they can possibly be installed. The minute that they're available, bring them into your computer and install them. Now it's causing me to kind of grimace every time I bring down an update for a piece of trusted software. I'm thinking to myself, oh my goodness. What if this is the update where I'm going to actually ingest a piece of malicious code into my system that I currently trust and how would I know? Probably I would only know after the fact and maybe long after the fact.

Jake Bernstein: Yep.

Kip Boyle: The other thing about ASUS that kind of went off in my brain when I started reading about this cyber attack is, weren't they already sanctioned by the Federal Trade Commission?

Jake Bernstein: They were actually. In fact, back in 2016, they were charged by the FTC with mostly misrepresentations and unfair security practices, over multiple vulnerabilities in their routers, the cloud backup storage and the firmware update tool, that could have allowed attackers to gain access to customer files and router login credentials, among other things.

Kip Boyle: This isn't good.

Jake Bernstein: It was not good and basically the FTC said, ASUS, you knew about these vulnerabilities for at least a year before fixing them and notifying customers. You put nearly a million US rider owners at risk of attack. And basically, you didn't do a very good job of responding and recovering from the attack in the NIST cybersecurity framework par.

Then what ASUS ended up doing was settling the case by agreeing to establish and maintain a comprehensive security program that per the FTCs kind of standard concent decree, is subject to independent audit for 20 years.

Kip Boyle: Well, okay. So I can't believe that this latest incident is a data point in favor of ASUS's new and improved security program.

Jake Bernstein: Doesn't sound that way, but I suppose in their defense, it was at least a little bit different.

Kip Boyle: Well, I mean, as a-

Jake Bernstein: That was tongue firm. Yes, tongue firmly be there because it's though it is different on a technical level, this is something that they should have been extra careful about.

Kip Boyle: Right. So the case that was brought against them was really about products that were released into the market space and were kind of a reflection of what was going on internally in the company. How could internally, how could you organize yourselves to produce such products? Well, now what we're seeing is the internal systems of ASUS, themselves, were actually compromised in order to cause problems with products that they released into the market space. I got to think FTC is looking at this and maybe preparing to charge them again. I mean, is that kind of their pattern?

Jake Bernstein: They certainly could. I mean, it's one thing to screw up. It's another thing to screw up in the same way, a second time in a row. It's likely that if the FTC does decide that this violates their existing consent decree, ASUS could be subject to considerable fines based solely off the violation of the consent decree that this already in place.

Kip Boyle: That is what we've seen with other FTC situations. Usually in the original settlement, it's not terribly onerous, in terms of fines and that sort of thing. But when people violate their consent decrees, it can get pretty nasty. Right?

Jake Bernstein: It can. I mean, so part of it depends on who's doing the fining? The FTCs ability to fine administratively without a court case before you violate a consent decree is limited. But after, if they have to take you to court, or if you are found to violate an existing consent decree, then it gets really high, really fast. On the other hand, the state attorney general oftentimes will start with a significant fine and then there can be a follow-up significant fine if you violate a consent decree. It's a minor difference in the scheme of things, but it is relevant, I think.

Kip Boyle: Okay. So now what I want to do is point out something. We've talked about how this latest cyber attack against ASUS was like NotPetya, but I think in another way, I want to point out how it was not like it.

In this case, the attackers wanted to get into a very specific list of computers that they already knew in advance and they were so specific. I don't know if everybody in our audience understands this, but when a computer or device is manufactured and it has an ethernet card or ethernet capabilities built into the motherboard, every ethernet card is actually burned with a permanent address.

It turns out that the attackers had 600 permanent addresses that they were searching for and one of the things that's interesting about this is that Not-Petya was fairly indiscriminate. Once the attack was released, it attacked everybody that it could. Every computer that was vulnerable to that attack took it in the chin.

In this case, though, it was just these 600 hardware addresses. So if you were not one and you had the malicious code on your machine, nothing would happen to you. So very targeted and it makes me wonder where did those 600 addresses come from? I wonder if other computers at ASUS were compromised to reveal the sales records of the organizations that were being targeted. I can't figure out how else those addresses would've been known to the attacker. So, it could be even worse.

Jake Bernstein: It probably is and I think that just kind of, I think that tends to increase our confidence, I guess, that you could say, that this probably some kind of extremely sophisticated multi-prong attack, probably going after people that you might recognize certain names on those 600 hardware addresses. You might not. But it's clear that they had very specific targets in mind. Can not be a coincidence.

Kip Boyle: Right. Let's talk about what this means for our listeners. There's several things. There's several takeaways here. The first is I think you can expect, we can all expect, more supply chain attacks in the future, whether it's compromising the devices during the manufacturing process, or compromising them later on, as part of this trusted channel of updates. I think this is going to work very well for these patient, well-funded adversaries that in my line of work, we call them advanced persistent threat or APT.

If you were to Google that term, you would actually find that we are tracking several different groups that come under this umbrella of this term. These advanced persistent threats tend to, well, they persist not just in your network because they're getting in silently, but they persist in the sense that they attack over and over and over again with new ways of getting what they want. So, that's the first thing. So, we're going to see more of this.

The second thing is make sure that your malicious code detection systems always have the latest indicators of compromise. Indicators of compromise, our signatures, kind of signatures that are designed to detect malicious code, now they're not going to detect all malicious code out there, but in this case here, Kaspersky, once they figured out what was going on, they wrote indicators of compromise, which could be used by their anti-malware systems to find it. So this so important to have signature based malicious code detection capabilities, even though it's insufficient. You have to have other behavioral based tools as well.

Then also I want to point out that you need to be ready to respond and recover from an attack at a moment's notice.

Jake Bernstein: Absolutely. One thing that you made me kind of think about is that you said patient, well-funded. This doesn't seem like something that you would do for profit, exactly. Which I think just goes to show when we say advanced persistent threat, we really are often talking about, if not nation-states, then something close to it, rather than your kind of script kitty. Download it from the internet. Try to make some money, type people.

Kip Boyle: Right. These aren't ransomware purveyors. These aren't people looking to make a quick buck. These are people who are playing chess. I mean, think about the US steel industry and the erosion of their leadership based on the theft of intellectual property that happened a few years ago. It's insidious because what happens is an entire industry gets crippled and it's very, very difficult to understand, how is it that foreign steel manufacturers can produce steel as good as ours in terms of quality, but at such price advantage? You scratch your head as a steel maker in the US. And you're like, how out in the world did they do that?

Our steel makers in the US figured out at one point, that it was because intellectual property had been stolen into their steel making secrets.

Jake Bernstein: Interesting.

Kip Boyle: And so you see this long game that's being played here. So, that's probably what's going on in this case.

Jake Bernstein: So, I think from our listeners perspective, what we need to have people do is start asking your vendors, what they're doing to prevent and detect supply chain attacks. After all, they're your supply chain and so you should be concerned about what they're doing.

Kip Boyle: Definitely.

Jake Bernstein: Software developers need to be introducing additional checks for malware injections, even after code is digitally signed. I think that this is a technical solution that our listeners may not have direct control over, but it is something that, if you're going to be a trusted platform, or a trusted source and send out push code updates, then I think you have a duty to check it again.

Kip Boyle: So this is one of those sort of emergent practices. This time last year, I don't think anybody would've said that this was necessary, but now we have direct evidence that it is.

Jake Bernstein: Yeah. I want software developers to make like Santa Claus and check their list and then check it twice.

Kip Boyle: Our listeners should be asking their vendors specifically about this.

Jake Bernstein: Yep. I agree. We can call it the Santa clause. Bad joke, terrible.

Kip Boyle: Nice.

Jake Bernstein: Yeah. Lawyer joke.

Kip Boyle: All apologies to the movies.

Jake Bernstein: Exactly. Forgot about those. Then third, tell your staff to report any and all strange or anomalous behavior, even if not particularly by trusted and signed applications, so that your IT experts can check it out and just to focus really real quick on this. They should be reporting any strange or weird behavior, but I would actually argue that it's even more important that they report weird behavior from highly trusted applications and sources.

Kip Boyle: Definitely. As a CSO, I would receive reports of strange behavior a lot and it's really difficult to allocate resources to tracking stuff like this down. Some of it is so ephemeral that it's so difficult to actually figure it out. But what I would do though, is I would at least keep the reports, even if we weren't in a position to be able to explore them, so that as more reports came in, I could sort of look at them and say, is there a pattern here? Is there something that's going on? So, you may not be able to do anything immediately with these reports, but continue to accumulate them. They might reveal some kind of a pattern or some kind of a picture.

So that wraps up the set episode of the Cyber Risk Management Podcast. Today, we talked about what cyber risk managers should know about the recent supply chain cyber attack against ASUS. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR, and IT, for full effectiveness. Managements goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee.

So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider are becoming a member of our Cyber Risk Business Strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.