Asus routers face potential threat from hidden backdoor weakness
Security researchers from GreyNoise have uncovered an ongoing assault on Asus routers that are connected to the internet, exploiting vulnerabilities in these devices. The campaign, which has compromised thousands of routers and counting, involves a command injection vulnerability and sophisticated long-term access planning by an as yet unidentified attacker.
In a detailed analysis, GreyNoise noted that anomalous network payloads are attempting to disable TrendMicro security features in ASUS routers and then exploit vulnerabilities in ASUS AiProtection features on said routers. The attackers initially try to gain access by either bruteforcing login.cgi or using older authentication bypass vulnerabilities. Once they have gained control of the router hardware, they deploy payloads that exploit a command injection vulnerability, allowing them to create an empty file that enables BWDPI logging, a TrendMicro feature embedded in ASUS routers.
The finale of the attack involves enabling remote SSH through official Asus settings, with a public key controlled by the attacker added to the router's keyring, thereby granting the attacker exclusive SSH access. This backdoor persists across firmware upgrades, even after the original vulnerability used to gain access has been patched.
Interestingly, the attackers do not install malicious code such as ransomware via the router, and they take care to disable router logging, possibly indicating long-term access planning and the possibility that this campaign is laying the groundwork for a botnet.
GreyNoise points out that while ASus recently released a patch for one of the vulnerabilities (CVE-2023-39780) in a firmware update, already-compromised routers remain at risk. The security firm recommends that companies using Asus routers check them for SSH access on TCP/53282, look for any unauthorized entries in the authorized_keys file, and block four specific IP addresses to mitigate risk. If a router is suspected to be compromised, administrators should perform a full factory reset and reconfigure it manually.
This ongoing exploitation of ASUS routers highlights the importance of timely updates and robust configuration management for network devices.
Relevant Enrichment Data:- The main vulnerability exploited is CVE-2023-39780, a command injection flaw that affects ASUS RT-AX55 models.- The campaign is suspected to be laying groundwork for a large-scale botnet by establishing a distributed network of backdoored routers.
- The complex assault on Asus routers, involving the exploitation of CVE-2023-39780 and other vulnerabilities, underscores the significance of data-and-cloud-computing security in the era of technology.
- To strengthen cybersecurity and reduce risk, GreyNoise advises companies using Asus routers to prioritize robust configuration management, regularly check for unauthorized access, and promptly apply updates to protect against known vulnerabilities.
