Kaspersky has released information on Operation ShadowHammer, a malware/APT infection targeting ASUS systems with particular MAC addresses on their network adapters.
According to a Motherboard report:
"The issue highlights the growing threat from so-called supply-chain attacks, where malicious software or components get installed on systems as they’re manufactured or assembled, or afterward via trusted vendor channels. Last year the US launched a supply chain task force to examine the issue after a number of supply-chain attacks were uncovered in recent years. Although most attention on supply-chain attacks focuses on the potential for malicious implants to be added to hardware or software during manufacturing, vendor software updates are an ideal way for attackers to deliver malware to systems after they’re sold, because customers trust vendor updates, especially if they’re signed with a vendor’s legitimate digital certificate."
And that, in a nutshell, is a concern with, say, the Microsoft Windows 10 patches, pushed out at Microsoft's whim to Windows 10 users who haven't figured out yet how to prevent or at least defer them until they have been checked out. Same thing with Android and other operating system and application auto-updates: aside from the inconvenience of downloading and installing the patches, and the aggravation caused by the need to patch up such shoddy software in the first place, the security issue is insidious ... and yet there is also a substantial risk of not patching at all, or of delaying patches.
Rock, meet hard place.
As we know from Stuxnet, bank ATM and other infections, even supposedly offline/isolated computer systems and private networks are not totally immune to online attacks. As for anything permanently connected to the Internet (IoT things, for instance ... plus virtually all other ICT devices), well that's like someone grabbing onto the exposed end of a high voltage power cable in the hope that it has been permanently disconnected.
The ultimate solution is to improve the quality of software substantially, in particular minimizing exploitable vulnerabilities which implies simplifying and formalizing the design and coding. Unfortunately, that goal has eluded us so far and, to be frank, seems unattainable in practice. Therefore we're stuck with this mess of our own creation. Automation is wonderful but we can't trust the robots.