Thousands of ASUS Routers Hijacked in Stealthy Backdoor Campaign
Hackers have gained unauthorized, persistent access to about 9000 ASUS routers in an ongoing exploitation campaign, according to cyber intelligence firm GreyNoise.
Unlike typical malware attacks, the attackers maintain long-term access without dropping malware or leaving traces. Instead, the operation uses the routers’ own legitimate features to create persistent backdoors that survive firmware updates and reboots.
It appears to be part of a stealth operation to assemble a distributed network of backdoor devices, potentially laying the groundwork for a future botnet.
The methods employed during this campaign mirror strategies typically associated with sophisticated, prolonged campaigns conducted by advanced persistent threat (APT) actors using operational relay box (ORB) networks.
Although GreyNoise has not made any attributions, the degree of operational skill exhibited implies that the perpetrator is a formidable and well-funded opponent.
Targeting ORB devices has recently been a typical cyber espionage tactic deployed by Chinese-sponsored hackers.
GreyNoise shared its findings in a May 28 report and a companion technical analysis by GreyNoise Labs.
ASUS Router Exploitation Campaign’s Intrusion Chain
The malicious campaign was discovered by GreyNoise researchers on March 18 using a GreyNoise-made AI-powered network traffic analysis tool called SIFT alongside fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid.
Specifically, SIFT detected multiple anomalous network payloads attempting to disable TrendMicro security features in ASUS routers and then exploit vulnerabilities. Novel tradecraft in ASUS AiProtection features on those routers was also identified.
Upon investigating the source of the anomalous traffic detected by SIFT, the GreyNoise researchers discovered thousands of compromised ASUS routers.
As of May 27, approximately 9000 routers have been affected, with the number steadily increasing.
The infection chain, analyzed by GreyNoise, unfolds in the following steps:
- Attackers gain access using brute-force login attempts and two authentication bypass exploits for zero-day vulnerabilities, which were not assigned any Common Vulnerabilities and Exposures (CVE) identifiers
- Attackers exploit CVE-2023-39780, a high-severity command injection flaw affecting ASUS RT-AX55, to execute system commands – patched by ASUS in a recent firmware update
- Attackers use legitimate ASUS features to enable SSH access on a custom port (TCP/53282), insert an attacker-controlled public key for remote access, with the backdoor stored in non-volatile memory (NVRAM), not on disk – meaning it is not removed during firmware upgrades or reboots
- Attackers disable router logging to evade detection
In its report, GreyNoise noted that while ASUS patched CVE-2023-39780 in a recent firmware update, the attacker’s SSH configuration changes cannot be removed by the update.
The initial login bypass techniques are patched but do not have assigned CVEs.
GreyNoise initially deferred disclosure of this investigation to inform government and industry partners before sharing its findings with the public.
On May 22, cyber threat intelligence firm Sekoia announced the compromise of ASUS routers as part of a campaign it called “ViciousTrap.”
ASUS Router Weakness Mitigation Recommendations
In its report, GreyNoise provided a list of recommendations to mitigate the threats posed by this malicious exploitation campaign:
- Check ASUS routers for SSH access on TCP/53282
- Review the authorized_keys file for unauthorized entries
- Block the following four IP addresses: 101.99.91.151; 101.99.94.173; 79.141.163.179; 111.90.146.237
- If a compromise is suspected, perform a full factory reset and reconfigure the ASUS router manually
Photo credits: Real_life_photo/JHVEPhoto/Shutterstock
Read now: New Chinese Hacking Campaign Targets Manufacturing Firms to Steal IP
