More than 9,000 Asus routers worldwide have been compromised in a massive attack linked to a well-resourced attacker, likely state-backed, that gave the hackers permanent access to the devices, even after reboots or firmware updates.
More than 9,000 Asus routers worldwide have been compromised in a massive attack linked to a well-resourced attacker, likely state-backed, that gave the hackers permanent access to the devices, even after reboots or firmware updates.
According to GreyNoise, the attackers are exploiting several vulnerabilities, including CVE-2023-39780, a command injection vulnerability that allows remote execution of system commands. Other exploited bugs do not currently have CVE identifiers but have already been patched by the manufacturer.
After gaining administrative access, hackers add their own public key for SSH access via port 53282. This allows anyone with the corresponding private key to connect to the router with full administrator rights, avoiding detection by antivirus or monitoring systems.
GreyNoise reports that access is maintained even after a firmware update or device reboot. This suggests that this is not a classic «malware» attack, but rather an abuse of legitimate configuration mechanisms. This tactic is what experts call an «invisible backdoor.»
The campaign has been ongoing since March, but was not disclosed until government agencies were notified, which could indicate a country-specific link to the attack. Regardless of the motivation, there is no evidence yet that the compromised routers are being used for malicious purposes. However, it is likely that the attack is preparing infrastructure for further attacks.
In parallel with GreyNoise, similar activity was recorded by Sekoia. They are tracking this campaign under the name ViciousTrap. A scan by Censys showed that the number of compromised devices could be as high as 9,500.
Users can detect the presence of a backdoor by opening the SSH settings in the router control panel. If port 53282 is enabled and there is a public key that starts with:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…
To eliminate the threat, you must manually remove this key and disable the corresponding port.
Connections to the following IP addresses can also be a sign of an attack:
Users are advised to update their router firmware to the latest version and regularly check system logs.
This is not the first attack on home routers. Since 2020, cybersecurity experts have been recording a trend towards creating botnets based on hacked IoT devices. Against the backdrop of war and the active use of cyberspace for espionage and attacks, it is especially important for Ukrainian users not to neglect firmware updates, even on their home network.
As a reminder, our feed also featured material about how hackers have been distributing a malicious version of KeePass for at least eight months, which installs Cobalt Strike, steals passwords, and adds programs that harm the device.
