Thousands of ASUS wireless routers have been compromised by a botnet that has also been targeting Cisco, D-Link, and Linksys devices. The way in which routers are infected means that they remain under the control of attackers even if the firmware is updated …
ASUS wireless routers compromised
Security researchers at Greynoise first detected the exploit back in March, but held off on making it public until the industry had time to coordinate a response.
GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet […]
The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.
It’s believed that a nation state may be behind the attack, and that it plans to use the compromised routers for a large-scale exploit.
ASUS routers affected include the RT-AC3100, RT-AC3200, and RT-AX55.
Once your router has been compromised, it’s then too late to update the firmware, notes Bleeping Computer.
This modifications allow the threat actors to retain backdoor access to the device even between reboots and firmware updates. “Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades,” explains another related report by GreyNoise.
“If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.”
The exploit also turns off logging, making it hard to tell whether or not your router is compromised.
What do to
If you have one of the listed ASUS models, it’s recommended to factory reset your router as the only way to ensure it is clean. After that, do a firmware update. Although an update on its own won’t remove the infection, updating after a full reset will prevent it being compromised again.
There is no word on any successful infection of the other brands named, so no action required for these.
You can learn more about it over at Greynoise.
Highlighted accessories
Image: 9to5Mac collage of images from ASUS and Mathias Reding on Unsplash
FTC: We use income earning auto affiliate links. More.
