Skip to content

ASUS routers hacked in mass backdoor campaign

  • by
  • 2 min read

Security researchers have discovered an ongoing mass exploitation campaign that has infected over 9,000 Asus routers. The infected routers provide hackers with persistent access, without the need to install malware or leave digital footprints.

This persistent access is achieved by exploiting legitimate features built into the targeted routers, allowing it to survive firmware updates, reboots, and potentially even hardware resets. While the goal of the campaign hasn’t been ascertained yet, it seems to be an attempt to create a large-scale botnet often used to misdirect URLs or carry out DDoS attacks.

The campaign was spotted by security researchers at GreyNoise, who claim that the tactics used in the campaigns are “consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB).” No official attribution has been made yet, but the attack sophistication suggests a “well-resourced and highly capable adversary” behind the attack, potentially even a state-sponsored hacking group.

This is an image of what is a router and how it works 112

Hackers gain initial access by using brute-force attacks to gain access to the router’s configuration interface. Two authentication bypass exploits for zero-day vulnerabilities that haven’t been assigned CVE identifiers at the time of writing. Another flaw, dubbed CVE-2023-39780, is also exploited in the attack to execute system commands, although Asus has patched it in a recent software update. This flaw affected Asus RT-AX55 routers.

At the time of writing, over 9,000 Asus routers have been infected, and the number continues to rise. Since the hackers disable logging and use official router features, the digital footprint of the attack is hard to trace. In fact, GreyNoise claims that “without emulated profiles and deep inspection, this attack would likely have remained invisible.” Even after installing Asus’ latest update, a compromised router will remain infected unless SSH access is manually removed.

In the News: Victoria’s Secret website taken down after cyber attack

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of macbook pro featured 123

Novel North Korean macOS malware found targeting Web3, crypto platforms

This is an image of dark web hacker security

Chinese hacker linked to Silk Typhoon arrested in Italy

Illustration: jmiks | shutterstock

New ransomware gang found terrorising Windows and Linux PCs

Top 25 call of duty (cod) wallpapers every gamers should check out

COD WWII hacked; PC version taken offline

This is an image of google office detroit

Google receives $314 million fine for misusing Android cellular data

This is an image of china taiwan featured 1

Taiwan issues warning against 5 Chinese apps

>