This Asus story is a great teaching tool. Great example of digital signing gone wrong, importance of securing the update server, etc., but what really caught my eye was that apparently firmware updates were included. In theory, if this involved flashing new firmware, that could mean malware that would persist through a reformatting of the hard drive.
While perhaps this is a supply chain issue, I look at it as a philosophical one where the "feature" of updateable firmware has become a vulnerability. Give me the old days when ROM was really ROM. When a manufacturer knew it had only one shot to make something work right, it made sure it worked right. Now we treat firmware like any old piece of software - "Oh if its broken, we'll just fix it in the next version."
I agree and I also think this case is a little "challenging" for the IS community.
The other day I read that other controls that might raise red flags didn't immediately arouse suspicions either. One VirusTotal uploader noted grammar and spelling mistakes, but those were dismissed. Unaffected ASUS applications contained similar errors.
Remember the incident with CCleaner ? One of the primary targets of the CCleaner attacks was ASUS. Is this a by-product of that operation ? Is it a "coincidence" ?