A widespread campaign of malware-free backdoor attacks has compromised thousands of ASUS routers, according to recent reports from GreyNoise and Sekoia.io. The attacks use security vulnerabilities and legitimate router features to establish persistent access without the need for malware.
GreyNoise’s AI-powered Sift tool first detected the threat in mid-March, while Sekoia.io investigated a broader campaign dubbed ViciousTrap that involved multiple brands of edge devices. Both reports found that ASUS routers were targeted, with attackers gaining SSH access using the same port (TCP/53282) identified by GreyNoise.
Attackers use various techniques to gain initial access, including credential brute-forcing and exploitation of authentication bypass flaws. Once authenticated, they exploit built-in settings and security flaws to establish an SSH connection and inject malicious commands.
The backdoor configuration is stored in non-volatile memory, making it difficult to remove via reboots or firmware upgrades. Experts recommend users perform a full factory reset and manual reconfiguration on any device suspected of being compromised.
To mitigate the risk, organizations should block known malicious IP addresses and ensure their devices are fully updated to patch security vulnerabilities. Users can check for SSH access on TCP/53282 and unauthorized entries in the authorized_keys file to determine if their device is compromised.
Source: https://www.scworld.com/news/asus-router-backdoors-affect-9k-devices-persist-after-firmware-updates