In a concerning cybersecurity revelation, researchers have identified that thousands of home and small office routers manufactured by Asus are being compromised by a stealthy backdoor that can survive reboots and firmware updates. This attack is believed to be orchestrated by a nation-state or a similarly well-resourced threat actor, posing serious risks to users worldwide.
The unknown attackers are exploiting a series of now-patched vulnerabilities to gain unauthorized access to these devices. Alarmingly, some of these vulnerabilities have not been tracked through the internationally recognized CVE system, making them even more dangerous. Once the attackers gain administrative control, they proceed to install a public encryption key, allowing access to the device via SSH. This means that anyone possessing the private key can log in with full administrative rights, effectively compromising the device.
According to researchers from the security firm GreyNoise, “The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices.” This persistent access is maintained without deploying malware or leaving obvious traces. The attackers utilize a combination of authentication bypasses, exploit known vulnerabilities, and abuse legitimate configuration features to ensure their control remains intact.
GreyNoise has tracked approximately 9,000 devices globally that have been backdoored in this ongoing campaign, with the threat continuing to expand. Researchers have noted that there is currently no evidence indicating that the compromised devices have been utilized for any malicious activities. Instead, it appears that this operation is in its initial stages, with the threat actor amassing a significant number of compromised devices for potential future exploitation.
GreyNoise detected this campaign in mid-March and chose to hold off on public reporting until they notified unnamed government agencies. This precaution raises suspicions that the threat actor may have connections to a nation-state. Furthermore, the activity observed aligns with a larger campaign reported by fellow security firm Sekoia, which identified potential compromises affecting as many as 9,500 Asus routers under the moniker “ViciousTrap.”
The attackers are leveraging multiple vulnerabilities to backdoor the devices, including CVE-2023-39780, a command injection flaw that allows for the execution of system commands. Asus has patched this vulnerability in a recent firmware update. However, the remaining vulnerabilities, which have also been patched, have not been assigned CVE tracking designations for reasons that remain unclear.
Router users can determine if their devices are infected by inspecting the SSH settings in their configuration panel. Infected routers will show that they can be accessed via SSH over port 53282, utilizing a digital certificate with a truncated key that begins with ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ.... To eliminate the backdoor, users should remove the key and the port setting from their configurations.
Users can also check their system logs for any unauthorized access attempts through specific IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, or 111.90.146.237. It is crucial for all router users, regardless of brand, to ensure that their devices receive security updates promptly to mitigate such threats.
