More than 9,000 Asus routers were silently hacked, and if you own one, there’s a chance yours is on that list. Luckily, you don’t have to wait for things to go south to find out.
Over 9,000 ASUS Routers Compromised in Ongoing Attack
A cybersecurity firm, GreyNoise, claims to have identified an “ongoing exploitation campaign” affecting thousands of ASUS routers exposed to the internet.
The report states that the attackers behind the campaign, who remain unknown, have gained unauthorized and persistent access to over 9,000 ASUS routers. Based on their tactics, including stealthy initial access and abuse of built-in system features to maintain control, GreyNoise says the activity points to a well-resourced and highly capable adversary, consistent with those seen in advanced, long-term campaigns.
The attackers reportedly used brute-force login attempts and two different authentication methods. After successfully accessing the ASUS routers, they exploited a known vulnerability (CVE-2023-39780) to run arbitrary commands. Through this, they enabled SSH access if it wasn’t already active and inserted their own public SSH key, granting persistent access.
Since the SSH key is stored in the non-volatile memory (NVRAM) rather than the file system, it survives reboots and firmware updates. The hackers took it one step further by disabling logging as well, removing any traces of their access. Surprisingly, the report claims the attackers don’t seem to be installing any sort of malware, which ultimately leads to the question—why the attack? GreyNoise says in its report:
This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet.
In case you don’t know, a botnet refers to a network of hijacked computers or devices used to carry out scams and attacks, all remotely controlled by the attackers. Typically, the best course of action in such cases would be to update your router’s firmware. However, doing so won’t help here since the attackers’ changes are stored in the router’s NVRAM.
Related
Does Resetting a Hacked Router Make It Secure Again?
So, you’re router’s been hacked. The best solution is to reset the hardware, but does that make it secure again? Here’s what you need to know.
Thankfully, there’s still a way to check if hackers managed to get access to your ASUS router. You can do this by logging into the router’s firmware and heading to the Administration section. Then, look for the Enable SSH option under the Service header.
If your router has fallen victim to the attack, you’ll see that SSH access is enabled on an unusual port, specifically port 53282, along with the following truncated SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…
Since a firmware update won’t fix this, the best solution is to factory reset your router. Asus also advises removing or disabling the SSH entry, along with blocking the following IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237.
If you’re among the lucky ones, now’s a good time to update your router’s firmware to prevent falling victim to this in the foreseeable future. That’s because Asus fixed the CVE-2023-39780 flaw that allowed hackers to run arbitrary commands on the router.
