InfoSecBulletin Cybersecurity for mankind
GreyNoise has discovered a campaign where attackers have gained unauthorized access to thousands of internet-exposed ASUS routers. This seems to be part of a covert effort to create a network of backdoor devices, possibly aiming to establish a botnet in the future.
The tactics in this campaign—sneaky initial access, using built-in system features to stay persistent, and avoiding detection—are similar to those used by advanced persistent threat (APT) actors and operational relay box (ORB) networks. GreyNoise hasn’t attributed this activity, but the sophistication indicates a well-resourced and skilled adversary.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
The attacker retains control over affected devices even after reboots and firmware updates. They achieve long-term access without installing malware or leaving clear evidence by using authentication bypasses, exploiting a known vulnerability, and misusing legitimate configuration features.
Sift, GreyNoise’s AI analysis tool, along with emulated ASUS router profiles in the GreyNoise Global Observation Grid, helped us identify subtle exploitation attempts in global traffic and piece together the entire attack sequence.
Summary of Findings:
Thousands of ASUS routers are confirmed compromised, with the number steadily increasing.
Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.
Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
They use legitimate ASUS features to:
Enable SSH access on a custom port (TCP/53282).
Insert attacker-controlled public key for remote access.
The backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots.
No malware is installed, and router logging is disabled to evade detection.
The techniques used reflect long-term access planning and a high level of system knowledge.
Confirmed Exploitation Chain:
Initial Access
Brute-force login attempts.
Two authentication bypass techniques (no CVEs assigned).
Command Execution
Exploitation of CVE-2023-39780 to run arbitrary commands.
Persistence
SSH access is enabled via official ASUS settings.
Attacker inserts a custom public SSH key.
Configuration is stored in NVRAM, not on disk.
Stealth
Logging is disabled before persistence is established.
No malware is left behind.
Indicators of Compromise:
IP addresses involved in this activity:
101.99.91.151
101.99.94.173
79.141.163.179
111.90.146.237
ASUS patched CVE-2023-39780 in a recent firmware update.
If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.
Recommendations:
Check ASUS routers for SSH access on TCP/53282. Review the authorized_keys file for any unauthorized entries. Block the four specified IPs. If a compromise is suspected, perform a factory reset and manually reconfigure the router.
