Monday , July 13 2026
ASUS routers

CVE-2023-39780
Botnet hacks thousands of ASUS routers

GreyNoise has discovered a campaign where attackers have gained unauthorized access to thousands of internet-exposed ASUS routers. This seems to be part of a covert effort to create a network of backdoor devices, possibly aiming to establish a botnet in the future.

The tactics in this campaign—sneaky initial access, using built-in system features to stay persistent, and avoiding detection—are similar to those used by advanced persistent threat (APT) actors and operational relay box (ORB) networks. GreyNoise hasn’t attributed this activity, but the sophistication indicates a well-resourced and skilled adversary.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

The attacker retains control over affected devices even after reboots and firmware updates. They achieve long-term access without installing malware or leaving clear evidence by using authentication bypasses, exploiting a known vulnerability, and misusing legitimate configuration features.

Sift, GreyNoise’s AI analysis tool, along with emulated ASUS router profiles in the GreyNoise Global Observation Grid, helped us identify subtle exploitation attempts in global traffic and piece together the entire attack sequence.

Summary of Findings:

Thousands of ASUS routers are confirmed compromised, with the number steadily increasing.
Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.
Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
They use legitimate ASUS features to:
Enable SSH access on a custom port (TCP/53282).
Insert attacker-controlled public key for remote access.
The backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots.
No malware is installed, and router logging is disabled to evade detection.
The techniques used reflect long-term access planning and a high level of system knowledge.

Confirmed Exploitation Chain:

Initial Access
Brute-force login attempts.
Two authentication bypass techniques (no CVEs assigned).

Command Execution
Exploitation of CVE-2023-39780 to run arbitrary commands.

Persistence
SSH access is enabled via official ASUS settings.
Attacker inserts a custom public SSH key.
Configuration is stored in NVRAM, not on disk.

Stealth
Logging is disabled before persistence is established.
No malware is left behind.

Indicators of Compromise:

IP addresses involved in this activity:

101.99.91.151
101.99.94.173
79.141.163.179
111.90.146.237

ASUS patched CVE-2023-39780 in a recent firmware update.
If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.

Recommendations:
Check ASUS routers for SSH access on TCP/53282. Review the authorized_keys file for any unauthorized entries. Block the four specified IPs. If a compromise is suspected, perform a factory reset and manually reconfigure the router.

Check Also

Tenda

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to …