Friday, May 30, 2025
Latest:
The Register

8,000+ Asus routers popped in ‘advanced’ mystery botnet plot

TH Author

Thousands of Asus routers are currently ensnared by a new botnet that is trying to disable Trend Micro security features before exploiting vulnerabilities for backdoor access.

Threat monitoring company GreyNoise discovered the botnet, which it dubbed AyySSHush, back in March and pointed interested onlookers to a Censys search which shows more than 8,000 infected hosts at the time of writing.

GreyNoise is only revealing the details of AyySSHush months later because it took some time to work with governments and industry partners on the disclosure, it said. 

The activity hasn’t been formally attributed to any specific group or nation, but GreyNoise’s VP of data science, Bob Rudis, said “the tradecraft suggests an advanced, well-resourced adversary.”

The botnet’s exploitation activity is ongoing, and what started with “an initial wave of generic brute-force attacks,” as GreyNoise put it, has moved on. The attackers behind it are also now exploiting old-ish authentication bypass bugs to gain initial access to Asus routers.

The botnet herders are finding success with either one of these two methods, and from there they use additional authentication bypass techniques and an older vulnerability (CVE-2023-39780) to run arbitrary commands on the router, the threat monitoring firm said.

According to the report, these commands were used to enable SSH, bind it to TCP/53282, and add an attacker-controlled public key, affording them exclusive SSH access.

“Because this key is added using the official Asus features, this config change is persisted across firmware upgrades,” GreyNoise’s report said. “If you’ve been exploited previously, upgrading your firmware will not remove the SSH backdoor.”

“Because it’s configured through official Asus settings, the backdoor persists in NVRAM even after patching. No malware dropped, logging disabled = nearly invisible,” Rudis added.

Among the commands executed were those responsible for disabling security features on the router, such as logging and AiProtection, a Trend Micro-powered feature that blocks malicious sites and infected devices.

GreyNoise spotted this activity taking place using just three HTTP POST requests, and appeared to only be targeting routers with default configurations. 

The specific models affected included the RT-AC3100, RT-AC3200, and RT-AX55. The latter remains one of the more popular Wi-Fi 6 routers to this day, and although the RT-AC3100 and RT-AC3200 are Wi-Fi 5-based, they were both widely used, high-end models when they launched around ten years ago.

In its timeline of events, GreyNoise noted that on May 22, security researchers at French outfit Sekoia published its work on a campaign it called ViciousTrap, which seems to bear some similarities with GreyNoise’s findings.

Both pieces of research tracked well-resourced groups targeting SOHO routers, although Sekoia noted more manufacturers’ devices targeted (more than 50), as well as SSL VPNs, DVRs, and BMC controllers – all turned into honeypots.

Likewise, Sekoia tracked the activity back to March, but other details, such as the vulnerabilities exploited, didn’t align with GreyNoise’s report.

The French company did step a little closer into attribution, though, saying the attackers behind the activity were “likely of Chinese-speaking origin, based on a weak overlap with the GobRAT infrastructure and the geographic distribution of compromised and key monitored devices.”

Perhaps hinting at some agreement among those at GreyNoise, Rudis replied to one infoseccer on social media, alluding to the attackers belonging to “one of the Typhoons.”

According to Microsoft’s naming taxonomy for established attackers, Chinese groups are assigned a name comprised of [word] + Typhoon. Salt Typhoon, and Volt Typhoon, for example.

GreyNoise said that Asus patched CVE-2023-39780 and the CVE-less auth bypass bugs in a recent firmware update, and provided indicators of compromise in its writeup for those who want to check if they were popped.

It also reminded users that updates alone won’t close off the SSH backdoor, so they should check for any signs of compromise.

If users think they may have been hit, or for those who aren’t technical enough to check, it’s factory-reset time.

The Register asked Asus for comment but it did not immediately respond. ®

READ MORE HERE