Thousands of ASUS Routers Compromised in Covert Backdoor Operation

Hackers have gained unauthorized, persistent access to approximately 9,000 ASUS routers in an ongoing exploitation campaign, as reported by cybersecurity intelligence firm GreyNoise.

Distinct from typical malware-based attacks, the perpetrators maintain long-term access without deploying malware or leaving discernible traces. They exploit the routers’ legitimate functionalities to establish persistent backdoors that endure firmware updates and system reboots.

This operation appears to be a component of a covert initiative to assemble a distributed network of compromised devices, potentially setting the stage for future botnet activity.

The tactics utilized in this campaign are reminiscent of those typically employed by advanced persistent threat (APT) groups, which leverage operational relay box (ORB) networks to support prolonged cyber campaigns.

While GreyNoise has refrained from directly attributing the attack to a specific group, the sophistication and operational capability demonstrated suggest that the threat actors are likely both highly skilled and well-resourced.

Targeting ORB devices has been recognized as a prevalent cyber-espionage strategy employed by state-sponsored hackers in recent times.

GreyNoise detailed its findings in a report released on May 28, along with a complementary technical analysis prepared by GreyNoise Labs.

Intrusion Chain of the ASUS Router Exploitation Campaign

The malicious campaign was uncovered by GreyNoise researchers on March 18, utilizing an AI-driven network traffic analysis tool called SIFT, coupled with emulated ASUS router profiles within the GreyNoise Global Observation Grid.

SIFT detected unusual network payloads attempting to disable security features from TrendMicro on ASUS routers and exploit existing vulnerabilities. Researchers also noted novel tactics related to ASUS AiProtection features.

Upon tracing the anomalous traffic identified by SIFT, GreyNoise researchers found thousands of compromised routers.

As of May 27, roughly 9,000 routers have been identified as affected, with this number likely to rise.

The analyzed infection chain unfolds as follows:

1. Attackers gain access through brute-force login attempts and exploit two authentication bypass vulnerabilities for which no Common Vulnerabilities and Exposures (CVE) identifiers have yet been assigned.
2. Attackers leverage CVE-2023-39780, a critical command injection vulnerability affecting ASUS RT-AX55, to execute system commands. This vulnerability was subsequently patched in a recent firmware update by ASUS.
3. Attackers exploit legitimate ASUS features to enable SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for remote access. The backdoor is stored in non-volatile memory (NVRAM), thus persisting through firmware upgrades and reboots.
4. Attackers disable logging on the routers to evade detection.

Despite the patching of CVE-2023-39780 in a subsequent firmware update, GreyNoise notes that the attacker’s SSH configuration changes remain intact and can evade removal through regular updates. Initial access methods are patched but also lack assigned CVE identifiers.

GreyNoise initially held off on disclosure of this investigation to inform governmental and industry partners prior to public release. On May 22, cybersecurity firm Sekoia announced the compromise of ASUS routers as part of what it termed the “ViciousTrap” campaign.

Recommendations for Mitigating ASUS Router Vulnerabilities

In response to the malicious exploitation campaign, GreyNoise has offered several recommendations to mitigate associated threats:

– Inspect ASUS routers for SSH access on TCP/53282.
– Review the authorized_keys file for any unauthorized entries.
– Block the following IP addresses: 101.99.91.151; 101.99.94.173; 79.141.163.179; 111.90.146.237.
– If compromise is suspected, conduct a full factory reset and manually reconfigure the ASUS router.