Critical Update for Asus Router Users
The routers from Asus have garnered a significant reputation and are frequently featured in top reviews. It’s likely that one of their devices serves as your home’s Wi-Fi source. If it is, it’s essential to investigate your router’s status, as a considerable number of Asus models have recently been compromised.
What transpired?
A cybersecurity firm, GreyNoise, reported on this router breach on Wednesday. The attackers employed brute-force login strategies (attempting millions of login combinations until access is gained) alongside authentication bypass methods (bypassing standard login protocols) to infiltrate these routers. Notably, the authentication techniques used were not linked to any existing CVEs (Common Vulnerabilities and Exposures). CVEs are labels utilized for tracking known security flaws, suggesting that the vulnerabilities were either undisclosed or only known to a select group.
Once access was obtained, the intruders took advantage of the Asus router’s CVE-2023-39780 vulnerability to execute arbitrary commands. They enabled SSH (Secure Shell) access via Asus’s settings, allowing them to control the devices remotely. Furthermore, they stored the backdoor configuration in NVRAM instead of the router’s disk. These hackers did not leave behind any malware and even disabled logging, complicating efforts to detect their activities.
While the identity of the attackers remains unknown, GreyNoise indicated that their methods reflect those typical of advanced, persistent threat (APT) groups. The statement read, “The strategies employed—subtle initial access, retention through built-in system features, and careful obfuscation of their footprint—align with advanced operational tactics seen in APT environments.” Although no specific attribution has been made, the sophistication of these techniques suggests that a well-resourced and skilled adversary may be at play.
Detection by GreyNoise
GreyNoise’s AI tool, Sift, initially recognized problematic activity on March 17, detecting unusual network traffic. The firm utilizes fully emulated Asus profiles operating with factory settings to probe for issues, which enabled them to observe the attackers’ behavior, replicate the breach, and analyze how the backdoor was integrated. Following Sift’s findings, researchers at GreyNoise began collaborating with “government and industry partners” to investigate further.
By May 27, approximately 9,000 routers had been confirmed compromised, with data being sourced from Censys, a service that monitors internet-connected devices worldwide. Alarmingly, the number of affected devices has continued to rise, with 9,022 Asus routers currently listed on Censys.
Fortunately, GreyNoise has confirmed that Asus has issued a patch addressing the security flaw in a recent firmware update. However, if a router was compromised before applying this patch, the backdoor remains intact. Even so, users can take steps to secure their routers.
Steps for Asus Router Owners
To begin, verify that your router is indeed an Asus model. If it is, access the router’s settings through your web browser. Logging in varies between models, but Asus suggests visiting www.asusrouter.com or entering the router’s IP address in the browser, then logging in using your Asus router credentials. If it’s your first login, you’ll need to set up your account.
Next, locate the option to “Enable SSH” in the settings (this may be found under “Service” or “Administration,” as noted by PCMag). If SSH access is enabled and you see that an external user can log in through port 53828 with the following key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ
(truncated for brevity), your router may be compromised.
To secure your router, disable the SSH access and block these IP addresses:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
After making these adjustments, perform a factory reset on your router. A simple firmware update won’t suffice, as the backdoor can persist through updates. A complete reset is imperative to ensure your router’s safety.
If your router shows no signs of compromise, make sure to install the latest firmware update immediately. Unaffected routers that receive this update will gain protection against similar attacks in the future.