Routers Compromised: Thousands of Online Asus Routers Infected with Backdoor

By Netvora Tech News

---

Security researchers at GreyNoise have discovered that thousands of online Asus routers have been compromised with a backdoor, thanks to a combination of brute-force attacks and two authentication bypass techniques. The attackers used these techniques to evade authentication and gain access to the routers, which they then exploited using a known vulnerability, CVE-2023-39780.

The backdoor allows attackers to execute system commands and retains access even after the router is rebooted. GreyNoise notes that the backdoor is stored in non-volatile memory (NVRAM) and is not deleted during firmware updates or reboots.

The attackers also enabled SSH access on a custom port (TCP/53282) and added a public key for remote access. GreyNoise believes that the attackers' use of these techniques suggests a long-term plan and a deep understanding of the routers' inner workings.

Impact and Recommendations

As of now, almost 9,000 Asus routers have been compromised. GreyNoise recommends that Asus router owners check for SSH access on port TCP/53282 and inspect the authorized_keys file for unauthorized additions. Additionally, they suggest blocking a number of IP addresses associated with the attackers.

In the event of a compromised router, GreyNoise advises performing a factory reset and manually configuring the router after the reset. Furthermore, GreyNoise notes that if a router is updated while compromised, the backdoor will remain present unless SSH access is explicitly checked and removed.

Conclusion

Asus router owners are advised to take immediate action to secure their devices and prevent further compromise. With thousands of routers already affected, it is crucial to take proactive measures to safeguard against these types of attacks.