Asus was warned of hacking risks months ago, thanks to leaky passwords

April 8, 2019

A security researcher cautioned Asus two months back that workers were inappropriately distributing passwords in their GitHub stores that could be exploited to get to the organization’s corporate network.


One password, found in an employee repo on the code sharing, enabled the researcher to get to an email account used by internal developers and engineers share to nightly builds of apps, drivers and tools to computer owners.


The repo being referred to was claimed by an Asus engineer who left the email account’s passwords publicly exposed for no less than a year. The repo has since been cleaned off, however the GitHub account still exists. The researcher didn’t test how far the record access could have given him but warned it could have been anything but difficult to turn onto the network.


The researcher’s discoveries would not have ceased the hackers who targeted ASUS’ software update tool with a backdoor, revealed this week, yet reveals a glaring security lapse that could have put the organization at risk from similar or other attacks. Security firm cautioned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app.


The app was signed with an Asus-issued certificate and hosted on the company’s download servers. More than a million users were pushed the backdoored code, researchers have estimated. Asus confirmed the attack in a statement and released a patched version. Through the company’s committed security email, the researcher cautioned Asus of the exposed credentials. After six days, he could never again sign in to mailbox and expected the issue was settled.


A day after we alarmed Asus to the researcher’s email, the repos containing the credentials were pulled offline and wiped clean. Yet when reached, Asus spokesperson Randall Grilli told well-known online publisher that the computer maker was “unable to verify the validity” of the claims in the researcher’s emails “Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks,” he added.


In all actuality, this issue isn’t isolated as Uber suffer the same faith which was ordered to pay for settlement in the end. But given Asus knew of the issue’s months ago amid a backdoor threat that affected more than a million users, you would have hoped for a better, more active response.


Credential Stuffing and Brand Monitoring:


So much for the on-going credential stuffing technique employed by hackers. This time was just a phishing intelligence move by utilizing the open source Intelligence available in Github. This could have been prevented if ASUS had a Brand Monitoring deployed for its properties.

About the author

Leave a Reply