Asus isn’t having a very good March. There are fresh allegations of major security breaches by the company’s employees, this time involving GitHub. The news comes on the heels of a security problem the company is still dealing with.
Earlier this week, Kaspersky Labs and Symantec both publicly stated that a major security breach at Asus had put the company’s customers at risk. According to Kaspersky Labs, up to a million systems might have been infected by a hacked version of Asus’ LiveUpdate software, as part of a goal of targeting ~600 very specific users by MAC address. Asus has released a statement on the attacks, confirming the assault was classified as an APT (Advanced Persistent Threat), a type of attack typically deployed by nation-states or potentially in corporate espionage rather than by ordinary hackers.
A security analyst that goes by SchizoDuckie contacted Techcrunch to share details of a security breach he discovered in Asus’ human firewall. According to him, Asus was improperly publishing its own employee passwords in repositories on GitHub. He was able to access internal company email as a result where nightly builds of apps, drivers, and tools were shared. The account was owned by an engineer who had reportedly left it open for at least a year. TC reports that SchizoDuckie shared screenshots to validate his findings, though they haven’t been released.
TechCrunch implies that this vulnerability isn’t how the hackers from the earlier attack gained access to Asus’ servers, writing:
The researcher’s findings would not have stopped the hackers who targeted Asus’ software update tool with a backdoor, revealed this week, but reveals a glaring security lapse that could have put the company at risk from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app. The app was signed with an Asus-issued certificate and hosted on the company’s download servers.
It isn’t clear if Asus has identified exactly how its LiveUpdate app was compromised. Supposedly the app was compromised from July through November of last year and the GitHub account with the published passwords was active for at least a year before the disclosure was made to Asus on February 1. The timelines overlap significantly. SchizoDuckie also reported finding company passwords exposed on GitHub in two other engineers’ accounts.
“Companies have no clue what their programmers do with their code on GitHub,” SchizoDuckie said. Asus has said it couldn’t verify Schizo’s claims, but that “Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks.”
These sorts of security issues aren’t unique to Asus — we’ve seen a number of companies nailed by leaky credentials — but they speak to how complex a challenge it is to secure modern infrastructure and just how easy it is for data to leak.