A recent attack has compromised over 9,000 Asus routers worldwide, leaving them vulnerable to a persistent botnet threat. The attack, discovered by cybersecurity firm GreyNoise, exploits authentication and router features to gain long-term access. The attackers use official Asus router features to enable SSH on a non-standard port (TCP 53282), allowing remote administrative control.
The backdoor is written to the router’s non-volatile memory, making it survive firmware updates and device reboots. To evade detection, the attackers disable system logging and the router’s AiProtection security features. Despite this, GreyNoise detected only 30 malicious requests over a three-month period using their AI-powered analysis tool called ‘Sift.’
Asus has released a new firmware update addressing the vulnerability, but it is not enough to remove the SSH backdoor from previously compromised routers. Users are advised to take manual steps to secure their routers, including checking for active SSH access on TCP port 53282 and reviewing authorized_keys files for unfamiliar entries.
It’s essential to note that the attackers’ primary goal was to avoid detection, using techniques such as disabling security features and exploiting undocumented login bypass methods. However, GreyNoise’s detection suggests a thorough planning process by the attackers.
To protect yourself, check if your Asus router is affected and take necessary precautions, including performing a full factory reset and reconfiguring the router from scratch. Stay informed about firmware updates and security patches to ensure you have the latest protection against such attacks.
Source: https://www.tomshardware.com/tech-industry/cyber-security/9-000-asus-routers-compromised-by-botnet-attack-and-persistent-ssh-backdoor-that-even-firmware-updates-cant-fix