If You Have an Asus Router, You Need to Check If It Has Been Hacked

Posted on by

Asus routers are popular and well-rated . So, there’s a good chance you have one of its devices powering your home Wi-Fi. If so, you should probably get it checked out, as thousands of Asus routers are currently compromised.

What’s happened?

Cybersecurity company GreyNoise published a blog post about the router attack on Wednesday . GreyNoise claims that the attackers used brute-force login attempts (trying millions of login attempts until the right match is found) and authentication bypasses (forcing entry bypassing traditional authentication protocols) to compromise these routers. Notably, the hackers used authentication bypass methods that do not have a CVE (Common Vulnerabilities and Exposures) assigned. CVEs are labels used to track publicly disclosed security vulnerabilities, meaning that the security vulnerabilities were either unknown or only known to a limited number of people.

Once in, the hackers exploited the CVE-2023-39780 vulnerability in the Asus router to run any commands they wanted. The hackers enabled SSH (secure shell) access through the Asus settings, allowing them to connect to and control the devices . They then stored the configuration — or backdoor — in NVRAM, rather than on the router’s disk. The hackers left no malware behind and even disabled logging, making their attacks difficult to detect.

It is unclear who is behind these attacks, but GreyNoise said the following: “The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful evasion of detection — are consistent with those used in sophisticated, long-term operations, including activities involving advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise did not cite a source, the level of sophistication suggests a well-equipped and highly effective adversary.”

How did GreyNoise know about this?

Sift, GreyNoise’s AI technology, first discovered the issue on March 17 after noticing unusual traffic. GreyNoise uses fully emulated Asus profiles with factory firmware to test for such issues, allowing researchers to observe the full behavior of the attackers, reproduce the attack, and learn how the backdoor was installed. The company’s researchers received the Sift report the following day and began investigating, coordinating with “government and industry partners.”

GreyNoise reported that as of May 27, nearly 9,000 routers had been confirmed to have been compromised. The company pulls this data from Censys, which monitors internet-facing devices around the world. To make matters worse, the number of affected devices continues to grow: At the time of writing , Censys’s website lists 9,022 affected routers.

Fortunately, GreyNoise reports that Asus has patched the security vulnerability in a recent firmware update. However, if the router was compromised before the patch was installed, the backdoor hacks embedded in the router will not be removed. Even if this is the case, you can take steps to protect your router.

If you have an Asus router, do this

First, make sure your router is actually made by Asus. If so, log in to the router using your internet browser. Logging in to the router varies by device , but Asus says you can go to www.asusrouter.com or type the router’s IP address into the address bar, then log in using your Asus router username and password. Asus says that if you’re logging into the router for the first time, you’ll need to set up your account.

What do you think at the moment?

From here, look for the “Enable SSD” settings option. ( According to PCMag , you can find it under “Tools” or “Administration.”) You’ll know your router has been hacked if you see that someone can log in via SSH on port 53828 with the following key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ (the rest of the key has been trimmed to reduce length).

Now disable SSH logging and block the following IP addresses:

  • 101.99.91.151

  • 101.99.94.173

  • 79.141.163.179

  • 111.90.146.237

From here, reset your router to factory settings. Unfortunately, a patch alone won’t be enough, as the attack persists after any update. A full reset is the only way to ensure that your router is protected.

However, if you see that your router has not been affected here, install the latest firmware update as soon as possible. Unaffected routers that install the latest patch will be protected from this type of attack in the future.

More…

Security

Leave a Reply