InfoSecBulletin Cybersecurity for mankind
GreyNoise has discovered a campaign where attackers have gained unauthorized access to thousands of internet-exposed ASUS routers. This seems to be part of a covert effort to create a network of backdoor devices, possibly aiming to establish a botnet in the future.
The tactics in this campaign—sneaky initial access, using built-in system features to stay persistent, and avoiding detection—are similar to those used by advanced persistent threat (APT) actors and operational relay box (ORB) networks. GreyNoise hasn’t attributed this activity, but the sophistication indicates a well-resourced and skilled adversary.
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
The attacker retains control over affected devices even after reboots and firmware updates. They achieve long-term access without installing malware or leaving clear evidence by using authentication bypasses, exploiting a known vulnerability, and misusing legitimate configuration features.
Sift, GreyNoise’s AI analysis tool, along with emulated ASUS router profiles in the GreyNoise Global Observation Grid, helped us identify subtle exploitation attempts in global traffic and piece together the entire attack sequence.
Summary of Findings:
Thousands of ASUS routers are confirmed compromised, with the number steadily increasing.
Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.
Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
They use legitimate ASUS features to:
Enable SSH access on a custom port (TCP/53282).
Insert attacker-controlled public key for remote access.
The backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots.
No malware is installed, and router logging is disabled to evade detection.
The techniques used reflect long-term access planning and a high level of system knowledge.
Confirmed Exploitation Chain:
Initial Access
Brute-force login attempts.
Two authentication bypass techniques (no CVEs assigned).
Command Execution
Exploitation of CVE-2023-39780 to run arbitrary commands.
Persistence
SSH access is enabled via official ASUS settings.
Attacker inserts a custom public SSH key.
Configuration is stored in NVRAM, not on disk.
Stealth
Logging is disabled before persistence is established.
No malware is left behind.
Indicators of Compromise:
IP addresses involved in this activity:
101.99.91.151
101.99.94.173
79.141.163.179
111.90.146.237
ASUS patched CVE-2023-39780 in a recent firmware update.
If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.
Recommendations:
Check ASUS routers for SSH access on TCP/53282. Review the authorized_keys file for any unauthorized entries. Block the four specified IPs. If a compromise is suspected, perform a factory reset and manually reconfigure the router.
