Sign in Subscribe

Thousands of Asus Routers face Persistent Backdoor Attack

Thousands of Asus Routers face Persistent Backdoor Attack

Thousands of home and small office routers manufactured by Asus have been compromised by a sophisticated backdoor attack that remains persistent even after reboots and firmware updates. This malicious campaign, likely orchestrated by state-sponsored or well-equipped threat actors, enables the infiltrators to maintain undetected access.

The attackers took advantage of vulnerabilities in Asus routers, some of which were patched only recently and lacked tracking through the internationally recognized CVE system. Using these exploits, the attackers gain unauthorized administrative control and install a public encryption key, allowing anyone possessing the corresponding private key to log in with full administrative rights through SSH.

Durable Control

“The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices,” stated researchers from security firm GreyNoise. As reported on their blog, the attack involves chaining authentication bypasses, exploiting known vulnerabilities, and misusing legitimate configuration settings without deploying malware, which minimizes detection.

GreyNoise has identified approximately 9,000 compromised Asus routers in this global campaign, with an increasing number. Interestingly, the threat actors have not yet utilized these compromised devices actively; instead, they are amassing them for future operations. First detected in mid-March, this campaign was initially withheld from public disclosure until government agencies were informed.

The activities of this entity appear related to a larger campaign identified by the security firm Sekoia, which referred to the threat actor as ViciousTrap. Sekoia's findings, supported by network intelligence from Censys, point to the potential compromise of up to 9,500 Asus routers.

The backdoor installation exploits several vulnerabilities, including CVE-2023-39780, a command-injection flaw allowing remote execution of system commands. This and other vulnerabilities have seen updates, though some remain without CVE listings.

To identify if a router is infected, users should check SSH settings in their device's configuration panel. Infected devices will allow SSH login over port 53282 with a digital certificate featuring a truncated key. To remove the backdoor, users need to delete this key and modify the port settings.

Another method to determine infection is by examining logs for access from specific IP addresses: 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, or 111.90.146[.]237. Regular security updates are essential for all router users, regardless of brand, to prevent such unauthorized access.

Dan Goodin, Senior Security Editor at Ars Technica, provided insight into this evolving security threat, emphasizing the importance of regular device updates to combat potential vulnerabilities. Follow him on Mastodon or Bluesky for more updates.