|

ASUS router backdoors affect 9K devices

Byadmin

Here’s a summary of the recent ASUS router security incident, based on the latest reports:

šŸ” 1. Incident Overview

  • Scope: Approximately 9,000 ASUS Wi-Fi 6 routers (primarily RT-AX55 models) have been compromised by a botnet dubbedĀ “AyySSHush”Ā .
  • Persistence: The backdoor survivesĀ firmware updates, reboots, and factory resetsĀ because it is stored in the router’s non-volatile memory (NVRAM)Ā .
  • Detection: Cybersecurity firm GreyNoise identified the campaign in March 2025, though attacks were extremely stealthy (only 30 malicious requests detected over three months)Ā .

āš™ļø 2. How the Attack Works

  • Initial Access: Attackers use brute-force logins, authentication bypass exploits (some unpatched), and a known command injection vulnerability (CVE-2023-39780) to gain controlĀ .
  • Backdoor Setup: Once accessed, attackers:
    • Enable SSH on a custom port (TCP/53282).
    • Add their public SSH key to the router’sĀ authorized_keysĀ file for persistent remote access.
    • Disable logging and security features (e.g., AiProtection) to evade detectionĀ .
  • No Malware: The attack abuses legitimate ASUS router features, leaving no traditional malware tracesĀ .

ā— 3. Why Firmware Updates Fail to Remove the Backdoor

  • The backdoor is written toĀ NVRAM, which retains configuration data even during firmware upgrades or resets.
  • ASUS patched CVE-2023-39780 in recent firmware, but this only preventsĀ newĀ attacks.Ā Existing compromises persist.

šŸ›”ļø 4. Recommended Mitigation Steps

If you own an ASUS router (especially RT-AX55):
1ļøāƒ£Ā Update Firmware: Install the latest patch from ASUS to fix known vulnerabilitiesĀ .
2ļøāƒ£Ā Check for Compromise:

  • Scan for open SSH portĀ 53282.
  • Review theĀ authorized_keysĀ file for unrecognized entriesĀ .
    3ļøāƒ£Ā Full Factory Reset:Ā RequiredĀ to purge the NVRAM backdoor. After reset, manually reconfigure the routerĀ .
    4ļøāƒ£Ā Disable Remote SSH: Unless essential, disable WAN-facing SSH access in router settingsĀ .
    5ļøāƒ£Ā Block Malicious IPs: Use firewall rules to block IPs linked to the campaign (identified by GreyNoise)Ā .

Infection StatisticsĀ 

MetricDetail
Confirmed Compromised~9,000 routers (as of May 27)
Primary TargetsTaiwan, U.S.
Botnet NameAyySSHush

šŸŒ 5. Attribution & Motive

  • Suspected actorĀ “ViciousTrap”Ā (potentially China-linked) due to targeting patterns avoiding Chinese devicesĀ .
  • Goal: Likely building a botnet for future attacks (e.g., DDoS, proxy networks)Ā .

šŸ’Ž Key Insight

This attack highlights critical risks in router security:Ā Even patched devices remain vulnerable if compromisedĀ beforeĀ updates. Proactive checks and resets are essentialā€”not just firmware updates.

Fromļ¼š
https://www.probatteryer.com/
https://www.probatteryer.com/blog/
https://www.batteryer.uk/blog
https://www.batteryer.sg/blog
https://www.batteryer.nz/blog/

Similar Posts

|

Samsung Teases Ultra-Grade Foldable Phone With a ‘Powerful Camera,’

Byadmin

Samsung has officially teased its upcoming foldable smartphone, the Galaxy Z Fold 7, describing it as delivering an “Ultra experience.” This teaser suggests that the device will offer advanced features beyond traditional updates, aiming to redefine foldable smartphone technology. Key Features and Innovations Launch Timeline The Galaxy Z Fold 7, along with the Galaxy Z…

Leave a Reply

Your email address will not be published. Required fields are marked *