Thousands of Asus routers are currently at risk of being compromised due to a stealthy backdoor attack, as detailed by cybersecurity firm GreyNoise. The company raised the alarm in mid-March after monitoring the activity and notifying unnamed government agencies, indicating that the potential threat actor behind the attacks may be linked to a nation-state.
This ongoing campaign is reportedly part of a larger operation documented by fellow cybersecurity firm Sekoia, which tracks the threat actor under the name ViciousTrap. According to Sekoia’s findings, extensive scanning by network intelligence firm Censys has uncovered that nearly 9,500 Asus routers may have been compromised as a result of the attacks.
The intruders have exploited several vulnerabilities, including a critical command injection flaw designated CVE-2023-39780, which allows for unauthorized execution of system commands. Although Asus has patched this flaw in recent firmware updates, details regarding other vulnerabilities remain unclear, as they have not received CVE tracking designations.
Router users needing to verify whether their devices are infected can do so by checking settings in the SSH configuration panel. Infected devices will allow logins via SSH over port 53282, utilizing a digital certificate characterized by a truncated key starting with ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ.... To eliminate the backdoor, infected users are advised to remove the key and corresponding port setting.
Moreover, users can ascertain if their routers have been targeted by examining system logs for access attempts from specified IP addresses, including 101.99.91.151, 101.99.94.173, 79.141.163.179, or 111.90.146.237. Cybersecurity experts recommend that all router users prioritize timely security updates to safeguard their devices against ongoing threats.