The warning refers to Operation ShadowHammer, a sophisticated supply chain attack mounted in 2018 by Chinese state-sponsored hackers
[…]
The attack was uncovered in January 2019 and Asus released a patch by March the same year.
It was already patched ~7 years ago, but CISA only warns now?
While over 1 million Asus users might have downloaded the backdoored utility, the hackers were reportedly interested in only around 600 specific devices, based on hashed MAC addresses hardcoded in various versions of the tool.
Per Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify vulnerable products in their environments and address the issue.
The hackers targeted this to 600 devices then waited 7 years and expected the targets won’t upgrade this app? This sounds strange, or I’m misunderstanding something.
I suprised it took this long. I bought a new motherboard in 2023 and discovered that the bios phones home and can patch the bios before the OS loads and that just was a big NOPE for me and I disabled it.
Was that a specific bios/uefi setting(s)?
yes, but IDK what it’s called off the top of my head. I got suspicious after noticing firewall logs to asus before the spamming Microsoft logs. the setting also lets the bios talk to the os by providing drivers during the Windows oobe, it will inject the Asus software like it’s preinstalled like OEM supplied. pissed me off because I have a iso of windows from ma visual studio download that’s basically the latest widows patched.i was like …blank slate, should just be Microsoft wtf is Asus junk software doing there?!
