ASUS Router Backdoors Affect 9,000 Devices, Persists After Firmware Updates 23
An anonymous reader quotes a report from SC Media: Thousands of ASUS routers have been compromised with malware-free backdoors in an ongoing campaign to potentially build a future botnet, GreyNoise reported Wednesday. The threat actors abuse security vulnerabilities and legitimate router features to establish persistent access without the use of malware, and these backdoors survive both reboots and firmware updates, making them difficult to remove.
The attacks, which researchers suspect are conducted by highly sophisticated threat actors, were first detected by GreyNoise's AI-powered Sift tool in mid-March and disclosed Thursday after coordination with government officials and industry partners. Sekoia.io also reported the compromise of thousands of ASUS routers in their investigation of a broader campaign, dubbed ViciousTrap, in which edge devices from other brands were also compromised to create a honeypot network. Sekoia.io found that the ASUS routers were not used to create honeypots, and that the threat actors gained SSH access using the same port, TCP/53282, identified by GreyNoise in their report. The backdoor campaign affects multiple ASUS router models, including the RT-AC3200, RT-AC3100, GT-AC2900, and Lyra Mini.
GreyNoise advises users to perform a full factory reset and manually reconfigure any potentially compromised device. To identify a breach, users should check for SSH access on TCP port 53282 and inspect the authorized_keys file for unauthorized entries.
The attacks, which researchers suspect are conducted by highly sophisticated threat actors, were first detected by GreyNoise's AI-powered Sift tool in mid-March and disclosed Thursday after coordination with government officials and industry partners. Sekoia.io also reported the compromise of thousands of ASUS routers in their investigation of a broader campaign, dubbed ViciousTrap, in which edge devices from other brands were also compromised to create a honeypot network. Sekoia.io found that the ASUS routers were not used to create honeypots, and that the threat actors gained SSH access using the same port, TCP/53282, identified by GreyNoise in their report. The backdoor campaign affects multiple ASUS router models, including the RT-AC3200, RT-AC3100, GT-AC2900, and Lyra Mini.
GreyNoise advises users to perform a full factory reset and manually reconfigure any potentially compromised device. To identify a breach, users should check for SSH access on TCP port 53282 and inspect the authorized_keys file for unauthorized entries.
Van on fire (Score:1, Funny)
Put the leaders of ASUS in a van in their parking lot. Set it on fire.
Re: Van on fire (Score:3)
It might solve the problem that ASUS is generally shit now. Their hardware has been having more and more problems and they now have some of the worst support in the industry.
Re: (Score:2)
The goal would be to make the leaders care about security issues in the first place.
Right now, they can choose to spend less on engineering and then give the money saved to themselves to buy a bigger super yacht. The consequences of only using the cheapest possible labor and cutting every possible corner is that their routers get hacked easily. But this doesn't hurt the CEO in any way. They keep their super yacht. So why shouldn't they do it?
Re: (Score:2)
Re: (Score:2)
>"So why shouldn't they do it?"
Because in a free market with competition, bad company practices are punished by consumers. Sometimes they can get away with poor service/products for a while, but it will catch up with them. Other times the punishment is immediate and severe. Articles like this can be devastating to sales. Family members ask what to buy and people like us tell them "Hell no way on Asus, spend a bit more and get a Unifi or a [whatever reputable brand at the time]."
Re: (Score:3)
Re: (Score:2)
arson and murder isn't going to solve security issues in routers
* opens van cargo door *
"Shit sorry, almost forgot these."
* tosses in a few thousand ASUS compromised routers *
Now all we're missing, is the marshmallows.
Re: (Score:3)
> arson and murder isn't going to solve security issues in routers
(needs citation)
Re: (Score:2)
Can we really trust this? (Score:2)
I mean sure, it claims they are using an AI-powered tool, but if it isn't *agentic* is it really suitable for anything?
Re:Can we really trust this? (Score:4, Informative)
This is the kind of thing that folks can check after the AI has spotted it. An *extremely* good use case.
OpenWRT (Score:1)
'nuff said.
Re: (Score:1)
https://openwrt.org/supported_... [openwrt.org]
maybe i'm just bad at the documentation but it doesn't seem like that many asus routers are supported so nice try?
Re: (Score:1)
actually the RT-AC3100 and RT-AC3200 mentioned do seem to be on the supported list but almost every Asus router i've seen personally is not on there.
Re: (Score:2)
Anything with mediatek and nand flash. I have three rt-ax53u at home.
Never Enable WAN Access (Score:4, Insightful)
The original announcement isn't clear, but based on the relatively low number of affected devices (there must be hundreds of thousands of these routers in use), it seems that only "savvy" users who enabled forms-based logins on the WAN port may have been affected.
Installing a private key and enabling SSH on a non-default port (as the attackers did) is likely much more secure, if the device absolutely must be accessible, or enabling the VPN -- again with public/private key pairs.
Re: (Score:1)
Is it really a benefit to use a nonstandard port? Don't all the scanners just fingerprint ports anyway? If nmap can do it...
I'll take that as a no (Score:2)
Since my troll mod hated what I said it must be correct
Vegeta? (Score:2)
I like ASUS routers (Score:2)
Because they run a modified OpenWRT it is pretty easy to install real OpenWRT onto them. As you should.