Asus Supplier Breach: How Everest Ransomware Turned a Partner Into an Entry Point

Aegiron 6 mins0

Summary

A company that supplies parts or technology to Asus was hit by a ransomware group called Everest. The attackers say they stole around 1TB of data, including camera source code linked to Asus products. Asus itself wasn’t directly hacked, but because the supplier had access to sensitive files, the impact still reaches Asus.

This is a supply-chain attack. Instead of attacking a big, well-protected brand head-on, the attackers went after a partner that had weaker defenses but still held valuable information.

How the attack likely worked

  1. The supplier was chosen
    • The supplier had access to internal files, source code, or development material.
    • From an attacker’s view, that’s a goldmine.
  2. Attackers got inside
    • Most likely through:
      • A hacked VPN account
      • Stolen or reused passwords
      • An unpatched server
      • Missing multi-factor authentication
    • No fancy malware needed.
  3. They stayed quiet
    • Once inside, they didn’t rush.
    • They searched file servers and code repositories.
    • Looked for backups and large data stores.
  4. Data was stolen first
    • Files were copied, compressed, and slowly sent out.
    • The claimed 1TB of data suggests this went on for days or weeks.
  5. Ransom pressure came later
    • Systems may have been encrypted.
    • The real threat was leaking the stolen data.

Why this is dangerous even if Asus wasn’t hacked

Stolen source code can:

  • Reveal how products work internally
  • Help attackers find future bugs or weaknesses
  • Be reused or sold to others
  • Create long-term security risks for customers

Indicators of Compromise (IoCs)

These don’t prove an infection on their own, but they should raise red flags.

Suspicious IP addresses seen in similar Everest activity

  • 185.225.73[.]102
  • 91.92.247[.]89
  • 193.142.146[.]211
  • 45.147.229[.]78

Unexpected connections from internal servers to these addresses should be investigated.

Domains that look “normal” but aren’t

  • secure-file-share[.]online
  • support-sync-service[.]site
  • cloud-backup-transfer[.]top
  • data-portal-update[.]net

Attackers often use names that sound boring and harmless on purpose.

File and system warning signs

  • Large .zip, .rar, or .7z files created suddenly
  • Compression tools running on servers that normally don’t use them
  • Source code accessed outside normal working hours
  • Backup services stopped or deleted

What defenders could have noticed (detection ideas)

1. Large outbound data transfers

outbound_data_size > 500GB
AND destination NOT IN approved_partners

If a supplier normally doesn’t send massive amounts of data outside, this is a big warning sign.

2. Access to source code at odd times

file_path CONTAINS ("source", "repo", "firmware")
AND time_of_day NOT IN business_hours

3. Compression activity before exfiltration

process_name IN ("7z.exe", "rar.exe", "zip.exe")
AND host_role = "file_server"

4. Backup or recovery tampering

event_action IN ("backup_deleted", "service_stopped")
AND service_name CONTAINS ("backup", "vss")

How this could have been prevented (realistic steps)

For suppliers

  • Use MFA everywhere, especially VPNs and admin accounts
  • Don’t store customer source code on open file shares
  • Monitor outbound data movement, not just inbound threats
  • Keep backups offline or isolated
  • Patch systems that face the internet

For large companies like Asus

  • Limit how much access suppliers really need
  • Segment supplier environments from core systems
  • Require security controls (MFA, logging, monitoring) in contracts
  • Ask vendors how they detect data theft, not just ransomware

Why attackers keep doing this

Attackers like Everest go after suppliers because:

  • Security is often weaker
  • Detection is slower
  • Data is still extremely valuable
  • One breach can impact multiple companies

It’s easier to break a side door than the front door.

The bigger takeaway

This wasn’t just a ransomware incident. It was a trust failure. Even strong companies are only as secure as the partners they rely on. As long as suppliers hold sensitive data, attackers will keep targeting them.

Bottom line

The Asus supplier incident shows that ransomware today is really about data theft, not locked screens. Organizations need to watch for unusual data movement, protect source code like crown jewels, and assume attackers will target the weakest link in the chain.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.