The October 2022 issue of IEEE Spectrum is here!

Close bar

Operation ShadowHammer Exploited Weaknesses in the Software Pipeline

Kaspersky security researchers described how hackers used software updates to push malware onto victims’ computers

3 min read
Photo-illustration of a computer with a hammer on it.
Illustration: Kaspersky Lab

When security researchers at Kaspersky Lab  disclosed Operation ShadowHammer in March, they described how attackers tampered with software updates from PC-maker ASUSTeK Computer to install malware on victims’ computers. Now, new details revealed last week indicate the operation was even more insidious—it sabotaged developer tools, an approach that could spread malware much faster and more discreetly than conventional methods.

In ShadowHammer, a sophisticated group of attackers modified an old version of the ASUS Live Update Utility software and pushed out the tampered copy to ASUS computers around the world, said Kaspersky Lab. The Live Update Utility, which comes preinstalled in most new ASUS computers, automatically updates the set of firmware instructions that control the computer’s input and output operations, hardware drivers, and applications. The modified tool, signed with legitimate ASUSTeK certificates and stored on official servers, looked like the real thing. But once it was planted, it gave the attackers the ability to control the computer through a remote server and install additional malware.

ShadowHammer is an “example of how sophisticated and dangerous a smart supply chain attack can be,” said Vitaly Kamluk, Kaspersky’s director of the global research and analysis team.

ASUSTeK wasn’t ShadowHammer’s only victim. Attackers also targeted at least three gaming companies based in Asia through a similar method, Kaspersky researchers found. Instead of subverting software updates, though, the attackers made a one-line change to their targets’ integrated development environment (IDE), a software program that developers use to write code. The effect was that whenever Microsoft Visual Studio compiled code with a specific Microsoft-owned library, the IDE used a similarly named library file instead.

Compilers and development platforms are at the core of the software supply chain, said Noushin Shabab, the Kaspersky senior security analyst who reverse-engineered the ShadowHammer malware. One infected compiler on a few developers’ machines can result in thousands of Trojanized software applications installed on millions of end-user computers.

“It’s a poisonous seed. Plant your poisonous seed in a safe place, and it will turn into the poisonous tree with fruit,” Shabab said.

Since the compiler pulls in relevant pieces of code from linked libraries and other components, using the tampered library meant code the developer did not intend to include was added to the application. A source code review won’t find the issue because the problem isn’t anywhere in the original code and the developer doesn’t know about the alternate library.

“When your compiler lies to you, your product always contains a backdoor, no matter what the source code is,” Kamluk said.

Kaspersky researchers found clues suggesting a group called Barium was behind both sets of attacks. Barium is known for a style of attack called “advanced persistent threat” which infects a computer or network and then lays undetected for a period of time. The group was previously linked to 2017’s ShadowPad attack, which compromised an update feature in server management software provided by the Korean firm NetSarang to install a backdoor on associated machines. One of the affected gaming companies in the ShadowHammer attack used NetSarang’s Windows X-server management software, Kamluk said.

“We see this as the future, where the new targets are the software developers.”

Barium is also linked to the CCleaner attack, where hackers modified software updates for the legitimate computer cleanup tool to include the ShadowPad backdoor. With ShadowHammer, Kaspersky researchers believe attackers initially gained access to ASUS servers with CCleaner.

Software updates have been used in other attacks. In 2017’s NotPetya outbreak, the ransomware initially infected machines by masquerading as a software update for an accounting software widely used in Ukraine.

This latest attack echoes 2015’s XcodeGhost, when thousands of iOS apps created with a tampered version of Apple’s Xcode development environment was found to contain malicious code. Those apps—for instant messaging, banking, maps, stock trading, and games—could be remotely controlled from a command-and-control server. They could also collect device information, and read and write from the iOS clipboard.

This kind of compiler manipulation is not yet widespread because it requires deep knowledge of the tools that developers use, as well as the applications used by victims, Shabab said. However, the ShadowHammer case makes it clear that developers can’t assume their development environments are safe, and have to figure out how to regularly audit their own tools. With ShadowHammer, checking the libraries that a program pulls from would have revealed the malicious file, which was signed with an invalid certificate.

“We see this as the future, where the new targets are the software developers,” Kamluk said.

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less