Asus / Elyse Betters Picaro / ZDNET
Do you own an Asus router? If so, your device may have been one of thousands compromised in a large campaign waged by cybercriminals looking to exploit it. In a blog post published May 28, security firm GreyNoise revealed that the attack was staged by what it suggests is “a well-resourced and highly capable adversary.”
Also: Massive data breach exposes 184 million passwords for Google, Microsoft, Facebook and more
To gain initial access, the attackers used brute-force login techniques and two different methods to bypass the built-in authentication. They were also able to exploit certain vulnerabilities not yet assigned official CVE numbers. Once they’d accessed the router, they were able to run arbitrary system commands by exploiting a known security flaw labeled CVE-2023-39780.
In a statement shared with ZDNET, Asus acknowledged the vulnerability and said that it had sent a push notification to customers advising them to update the firmware on their devices.
Actually disclosed in 2023 as recorded in the company’s Product Security Advisory, the flaw’s entry is dated Nov. 3, 2023, and is listed as “RT-AX55 security update notice for CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348.” All of those are the same as CVE-2023-39780, according to Asus.
More than 9,000 Asus routers affected
Though no malware was actually installed, the attackers certainly left their mark.
By using built-in Asus settings, they were able to set up SSH access, a secure way to connect to and control a remote device. They also installed a backdoor to return easily to the router’s firmware without worrying about authentication. The backdoor was stored in non-volatile memory (NVRAM), which meant it couldn’t be removed by rebooting the router or updating its firmware. To avoid being caught, the criminals even disabled logging, which would otherwise record their access.
Also: Why no small business is too small for hackers – and 8 security best practices for SMBs
Based on data from internet scanner Censys, more than 9,000 Asus routers are affected and that number is growing. However, GreyNoise said that over the past three months, it witnessed only 30 related requests to access the affected routers. That seems to be a sign that the campaign is moving along slowly and quietly.
If no malware is installed, what’s the goal behind the attack?
“This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet,” GreyNoise said in its post.
And who’s behind it?
“The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.”
Also: Your old router could be a security threat – here’s why and what to do
The language used by GreyNoise, particularly the reference to APTs, suggests a nation-state or attackers working on behalf of a hostile government. Though GreyNoise didn’t cite any particular adversary, such attacks have been attributed to different countries, including China, Russia, North Korea and Iran.
Using its AI-powered payload analysis tool Sift and its observation grid, GreyNoise discovered the attack on March 18. But the firm said it waited until now to disclose it publicly so it could have time to consult with its government and industry partners.
“In the past few years, networking gear especially for the home, SOHO and SMB market segments has had a rough go with attackers increasingly targeting these devices,” John Bambenek, president at cybersecurity firm Bambenek Consulting, told ZDNET. “The risk of the household being compromised is minimal, they’ll simply have their router be used to launch attacks on other parties (though they might start experiencing more captchas when they engage in their routine internet use). Sophisticated attackers are going for these devices because they intend to do something, and it’ll be more than cryptomining.”
What should you do if you own an Asus router?
To see if your device has been compromised, log in to the router’s firmware. Look for the “Enable SSH” option under the Service or Administration settings. If your router was caught in the campaign, the settings will show that someone can log in to it using SSH over port 53282 with a truncated SSH public key of: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…
The next steps vary based on whether your device has been infected, whether it’s still supported with firmware updates and how your security settings are configured.
If your device has not been infected and is still supported, install the latest firmware update. If the device is not infected but is no longer supported, Asus recommends that you still install the last firmware update and then disable all remote access features, such as SSH, DDNS, AiCloud and Web Access from WAN. Unless you need to remotely access your router, disabling these features is a good idea for anyone.
“For the overwhelming majority of people, turning off external admin access to the devices (whether SSH or HTTPS) makes good sense,” Bambenek said. “In fact, that should be the default setting as remarkably few people ever access the administrative interfaces in the first place.”
What if your device is infected? Normally, updating the firmware would solve the problem, especially since Asus fixed the CVE-2023-39780 flaw with its latest firmware update. But if your router has already been compromised, the backdoor remains even after an update.
Also: How to easily add a backup internet connection to your home office – and why you should
In that case, you should remove or disable the SSH entry. You’ll also want to block the following four IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179 and 111.90.146.237. Finally, you may want to factory reset your router and manually reconfigure it to make sure no traces of the backdoor remain.
You might also want to find out if your device shows any signs of unauthorized access. For that, confirm that SSH (especially TCP port 53282) is not exposed to the internet. Then check the System Log in the firmware for any repeated login failures.
In any case, Asus also recommends that you adopt a strong administrative password, good advice for any router. That means a password at least 10 characters long with uppercase and lowercase letters, numbers and symbols.
Also worth noting is that newer router models use more advanced security methods to better protect the device and firmware from unauthorized access. You can take advantage of the AiProtection now built into all Asus routers. Using this feature and the Asus router app or web page, you’re able to run a security audit that can analyze the strength of your password. Newer models also let you set up automatic firmware updating so that you don’t have to manually run the updates yourself.
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
