If you have an Asus router, it could be one of the 9,000 that has been compromised by “a well-resourced and highly capable adversary,” according to a recent report from GreyNoise, a security firm.
GreyNoise found the issue on May 18 and is now making it public after informing government and industry partners about its discoveries. The identity of the attacker remains unknown, but “the level of tradecraft suggests a well-resourced and highly capable adversary,” states GreyNoise.
The threat actor conducted a broad exploitation campaign, obtaining unauthorized access to Asus routers that were exposed to the internet. Their apparent objective was to create a network of distributed devices and form a botnet.
What to Do If You Own an Asus Router
If you possess an Asus router, there’s an easy method to check if the hackers accessed your device. Begin by logging into the router’s firmware and looking for the “Enable SSH” option in the settings. This option might be found under “Service” or “Administration.” If the device is compromised, it will indicate that someone can connect to it using SSH over port 53282 with this truncated SSH public key:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…
If unauthorized access has occurred, performing a factory reset is highly recommended, says PCMag security analyst Kim Key. GreyNoise describes this attack as highly sophisticated because it “survives both reboots and firmware updates, allowing durable control over affected devices.” A factory reset can eliminate this issue. Typically, updating the firmware would resolve the problem.
Asus also suggests removing or disabling the SSH entry and blocking the following four IP addresses, according to ZDNet:
101.99.91.151
101.99.94.173
79.141.163.179
111.90.146.237
If your router has not been compromised, make sure to update the firmware to mitigate any potential future risks. Asus has addressed the CVE-2023-39780 vulnerability in its most recent firmware update. “Stay vigilant about firmware updates for all your internet-connected devices, including your router,” advises Key. “In addition to your cybersecurity tasks, periodically check your devices for updates throughout the year.”
To gain initial access, the attackers utilized brute-force login methods along with two different techniques to circumvent the built-in authentication. They also exploited certain vulnerabilities that have not yet received official CVE designations. Once they gained entry to the router, they could execute arbitrary system commands by exploiting a known security flaw identified as CVE-2023-39780.
Although malware was not installed, the attackers certainly made their presence known.
Typically, updating the firmware would resolve the issue, especially as Asus has rectified the CVE-2023-39780 flaw with the latest firmware update. If your router remains uninfected, be sure to update the firmware promptly. However, if your router has already been compromised, the backdoor persists even after an update.
In that scenario, Asus recommends that you remove or disable the SSH entry. It is also advisable to block the following four IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237. Finally, consider performing a factory reset and manually reconfiguring your router to ensure no remnants of the backdoor exist.
Over 9,000 Asus routers have been impacted
By utilizing built-in Asus features, they managed to establish SSH access, which is a secure method to remotely connect to and control a device. They also created a backdoor, allowing them to easily return to the router’s firmware without needing authentication. This backdoor was stored in non-volatile memory (NVRAM), meaning it could not be removed by rebooting the router or performing a firmware update. To evade detection, the criminals even disabled logging, which would normally note their access.
Based on data from internet scanner Censys, more than 9,000 Asus routers are affected, and this number is on the rise. Nevertheless, GreyNoise reported that in the last three months, they observed only 30 related access requests to the affected routers. This seems to indicate that the campaign is progressing slowly and discreetly.
If no malware is present, what is the purpose behind the attack?
“This seems to be part of a stealthy operation to assemble a distributed network of backdoor devices — potentially establishing the groundwork for a future botnet,” stated GreyNoise in its publication.
And who is responsible for it?
“The tactics employed in this campaign — stealthy initial access, utilization of built-in system features for persistence, and careful avoidance of detection — align with those seen in advanced, long-term operations, including activities linked to advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has not made any attributions, the level of tradecraft points to a well-resourced and highly capable adversary.”
The wording used by GreyNoise, especially the reference to APTs, hints at a nation-state or attackers operating on behalf of a hostile government. While GreyNoise has not specified any particular adversary, such attacks have been associated with various countries, including China, Russia, North Korea, and Iran.