Analysts at cybersecurity firm GreyNoise have discovered an “ongoing wave of exploitation targeting Asus routers” that are exposed to the internet.
According to the company, thousands of routers have been confirmed as being compromised, with the number continuing to increase.
In a full analysis published by one the company, it was noted that “anomalous network payloads … are attempting to disable TrendMicro security features in ASUS routers, then exploit vulnerabilities and novel tradecraft in ASUS AiProtection features on those routers”.
The attack starts with an attempt to gain access either by attempting to bruteforce login.cgi or using older authentication bypass vulnerabilities. Once they have gained privileged access to the hardware, the attackers deploy payloads that exploit a command injection vulnerability.
This allows them to create an empty file that, GreyNoise said, “enables BWDPI logging, a TrendMicro feature embedded in ASUS routers”.
The final step of the attack is remote SSH being enabled through official Asus settings, with a public key controlled by the attacker added to the router’s keyring.
“This grants the attacker exclusive SSH access. Additionally, because the backdoor is part of the official ASUS settings, it will persist across firmware upgrades, even after the original vulnerability used to gain access has been patched,” the company explained.
One thing the attackers don’t do is deploy malicious code such as ransomware via the router. This, plus the care taken not to attract attention, such as disabling router logging, indicates “long-term access planning” and the possibility this campaign was laying the foundations for a botnet.
“The tactics used in this campaign … are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks,” the company said in a blog post. “While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.”
While Asus released a patch for one of the vulnerabilities – CVE-2023039780 – in a recent firmware update, this won’t protect routers that have already been compromised.
GreyNoise recommends that companies using Asus routers check them for SSH access on TCP/53282 and look for any unauthorized entries in the authorized_keys file. It also lists four IPs that should be blocked.
If a router is suspected to be compromised, administrators should perform a full factory reset and reconfigure it manually.
MORE FROM ITPRO
