Cybersecurity company GreyNoise reported an advanced and persistent attack infecting thousands of ASUS home and small office routers. The covert campaign, suspected to be carried out by a nation-state or highly sophisticated threat group, drops a persistent backdoor that remains effective through both firmware updates and reboots. What’s worse is that the typical user can’t discover the backdoor.
Unpatched and Unseen ASUS Router Vulnerabilities
As per GreyNoise, the attackers first take over the ASUS routers by taking advantage of various vulnerabilities. Some are fixed, while others have never been officially recorded in the CVE system. A confirmed vulnerability, CVE-2023-39780, enables command injection, allowing full system command execution.
After gaining access, the threat actor drops a public SSH encryption key, allowing future logins through a matching private key with full administrator privileges.
Long-Term Persistence Without Malware
What’s so hazardous about this attack is the persistence of the access. GreyNoise states that the attacker doesn’t drop malware or leave normal indicators of compromise. Instead, they chain exploits, bypass authentication, and change legitimate system settings, surviving through firmware updates and system reboots.
According to Ars Technica, researchers maintain that this method “enables long-lasting control over the routers,” allowing the actor to quietly expand their botnet of exploited systems, potentially for use in extensive coordinated attacks.
ViciousTrap: A Coordinated Campaign with Global Reach
GreyNoise highlights that this attack is part of a greater campaign referred to as “ViciousTrap”, initially coined by cybersecurity firm Sekoia. Web scans by network analytics provider Censys indicate that potentially up to 9,500 ASUS routers have already been exploited.
While the threat actor has yet to engage the network of compromised routers, experts warn that this may be the calm before the storm, hinting at future widespread disruptions or spy operations.
How to Tell If Your ASUS Router Has Been Compromised
The only means of verification is by manual scanning:
- Access your router’s settings page
- Go to the SSH configuration
- Check for suspicious entries on port 53282
- Scan for the malicious SSH key beginning with: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ.
- If a backdoor is discovered, delete the key and switch off the port configuration immediately.
Additionally, monitor connections from the following IP addresses associated with the attack:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
To reduce risk, always keep your router’s firmware updated, regardless of brand. Enable automatic updates if available, and disable remote access unless absolutely necessary. Change default passwords and consider using a firewall or network monitoring tool to detect unusual activity.
Key Insights
- Advanced attacks are exploiting ASUS routers through various unpatched vulnerabilities.
- The attackers employ stealthy techniques, allowing persistent access without malware.
- A significant number of routers have been compromised, with implications for future attacks.
- Manual verification of router security is essential to detect potential backdoors.
- Users are advised to maintain updated firmware and secure router settings.
Why should I read this?
If you own an ASUS router, this is a must-read! You could be sitting on a ticking time bomb without even knowing it. With thousands of devices being compromised, understanding how to protect yourself is key. We’ve broken down the nitty-gritty for you so you can act quickly and keep your network safe from these stealthy attacks. Don’t wait until it’s too late!