Reboot and firmware update useless: Thousands of Asus routers compromised

Thousands of Asus routers have been taken over by unknown parties, and unauthorized access cannot even be prevented by rebooting or firmware updates. GreyNoise has determined this and explains that it may be the first steps in setting up a botnet.

According to the IT security company, attackers proceed stealthily during initial access and access integrated system functions in order to establish themselves deep within the system. This points to an "extremely capable" perpetrator who is very well equipped. Patches are available for uncompromised routers.

Backdoor very difficult to close

As GreyNoise explains in a blog post, the unknown parties gain access via mass login attempts ("brute force") and bypass authentication requirements. This exploits gaps that have not received a CVE designation but have since been closed. Then another gap (CVE-2023-39780) is exploited, which Asus has also patched in the meantime. Finally, further access from the outside would be made possible. The backdoor itself is stored in non-volatile NVRAM, which is why it cannot be closed by a restart or a firmware update. Malware is not installed and the logging function of the routers is deactivated.

GreyNoise discovered the campaign in mid-March with the help of an AI that was triggered by anomalous traffic. Asus was informed on March 23, followed by the patches. According to GreyNoise, almost 9000 routers were recently compromised and the number continues to grow. Although the company does not specify which models are affected, it does list the IP addresses associated with the attack. GreyNoise also recommends checking whether SSH access to the TCP/53282 port has been permitted on your own Asus routers. Unauthorized entries should also be searched for in the "authorized_keys" file. If a device is compromised, only a factory reset and manual reconfiguration will help.

Read also

Security expert Brian Krebs targeted by DDoS attack with 6.3 terabits per second

(mho)