Skip to main content

Asus Admits Servers Hacked Two Months After Being Notified

UPDATED 3:15 p.m. Eastern time March 26 with Asus Live Update update-instructions link and Asus recommendation that infected users factory-reset their computers.

Asus finally issued a statement today (March 26) regarding the hacking of its own firmware-update servers, more than 24 hours after Vice Motherboard and Kaspersky Lab publicly disclosed the issue and nearly two months after Kaspersky Lab notified Asus that its servers had been hacked.

Credit: Roman Arbuzov/Shutterstock

(Image credit: Roman Arbuzov/Shutterstock)

"A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group," a company statement said. "Asus customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed."

At least 70,000 Asus devices have been infected with the corrupted Asus firmware, as documented by Kaspersky Lab and Symantec, which got the numbers from PCs running those companies' own antivirus software. Kaspersky Lab researchers estimate a million Asus computers worldwide may have been infected, which is arguably not a small number.

MORE: Best Windows Antivirus Software

Asus said in its press release that it has taken steps to beef up its update-process security, but it made no mention of how the attackers -- thought to be a Chinese-speaking hacker crew with ties to the Chinese government -- managed to break into Asus' servers and steal Asus digital signing certificates that validated the malware as legitimate.

"Asus has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism," the press statement said. "At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."

Asus has posted instructions for how to update the Live Update software here.

Between June and November 2018, the malware was delivered to Asus computers worldwide directly from Asus' own firmware-update services. The malware creates a "backdoor" that lets more malware be downloaded and installed without user authorization.

However, the malware lies dormant on almost all systems, activating only on specifically targeted individual PCs whose MAC addresses -- unique identifiers for each network port -- match those on hardcoded lists built right into the malware.

Kaspersky researchers identified about 600 MAC addresses on the hit lists, which is indeed a "small user group." But the specifics are still unclear, as we don't know who exactly the malware targets, or how the attackers got into Asus's update servers.

Asus also released a "security diagnostic tool to check for affected systems" that can be downloaded at https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip.

That complements a Kaspersky Lab tool that checks for the presence of the malware, and a Kaspersky Lab webpage where you can check to see whether any of your Asus PC's network MAC addresses are on the malware's hit list.

Unfortunately, Asus' diagnostic tool doesn't remove the malware if it finds the malware. Instead, Asus recommends that you "immediately run a backup of your files and restore your operating system to factory settings," as noted in a brief FAQ Asus posted about the issue.

Neither the FAQ nor the update instructions were included in the official Asus statement provided to Tom's Guide, but fortunately, factory resetting Windows 10 is relatively easy.

"This will completely remove the malware from your computer," the FAQ states.

Kaspersky researchers said they notified Asus of the issue on Jan. 31, but told Motherboard's Kim Zetter that Asus initially denied that its servers had been hacked.