May 8, 2019 By Shane Schick 2 min read

A threat group known as Barium is exploiting trusted software updates and apps to conduct a wave of supply chain attacks, which could affect more than 1 million users around the world.

One example of the kind of tools used in the campaign is ASUS Live Update Utility, according to Kaspersky Lab. Over the course of a five-month period starting last June, the threat group used legitimate (but stolen) digital certificates to create Trojan versions of the software, which comes installed on ASUS computers.

Barium is also known as Shadowhammer and several other names, the researchers noted.

Barium’s APT Campaign

Using network adapters’ unique identifiers, otherwise known as media access control (MAC) addresses, the attackers hardcoded tables within the backdoors it created in the utility.

Those who installed the updater would immediately begin a process where the backdoor would check the tables to see if they were one of the several hundred users targeted in the supply chain attack. Only machines that matched indicated any activity on the network, which allowed Barium to fly under the radar for a considerable length of time, the researchers said.

Although they require more technical expertise and sophistication, supply chain attacks are a rising advanced persistent threat (APT). Other examples include the use of tools such as CCleaner, which is designed to remove unwanted files from a desktop computer.

The idea is to look for vendors with a large installed base who inherently trust the vendors in question and whose own infrastructure might otherwise be secure. In fact, researchers detected similar supply chain attacks involving three other Asian software vendors.

Keeping Supply Chain Attacks at Bay

Whether based on software applications or physical parts, a supply chain is only as good as its weakest link, and Barium is hard at work looking for those weak links.

IBM experts suggest performing regular inventories of third parties that might be connected to a network and scanning them for any signs of vulnerability. In some cases, organizations might need to add additional controls or change the process in which those external connections are established and maintained.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today