Massive Botnet Targets ASUS Routers by Injecting Malicious SSH Keys
GreyNoise Research has publicly disclosed a sophisticated cyberattack campaign that has compromised over 9,000 ASUS routers worldwide.
First detected by GreyNoise’s proprietary AI-powered analysis tool, Sift, on March 18, 2025, the campaign leverages a combination of brute-force attacks, authentication bypasses, and a known command injection vulnerability (CVE-2023-39780) to gain and maintain unauthorized access to internet-exposed routers.
The attackers’ tactics and the campaign’s stealth suggest involvement by a highly capable, possibly nation-state, adversary, though no concrete attribution has been made.
Unlike typical malware campaigns, this operation abuses legitimate ASUS router features to establish persistence.
Once a device is compromised, the attackers enable SSH access on a non-standard port (TCP/53282) and insert their own SSH public key for remote access.
The configuration changes are stored in the router’s non-volatile memory (NVRAM), allowing the backdoor to survive both firmware upgrades and device reboots.
Technical Attack Chain:
The attack unfolds in a multi-stage process:
- Initial Access: Attackers use brute-force login attempts and two undisclosed authentication bypass techniques (not yet assigned CVEs) to penetrate the router’s defenses.
- Command Execution: Upon gaining access, they exploit CVE-2023-39780, a command injection flaw, to execute arbitrary system commands.
- Persistence: SSH access is enabled via official ASUS configuration settings, and a custom attacker-controlled SSH key is inserted. These changes are written to NVRAM, ensuring persistence even after firmware updates or reboots.
- Stealth: To evade detection, attackers disable router logging and Trend Micro’s AiProtection security features. No malware is installed, and no suspicious files are dropped, making the operation nearly invisible to standard monitoring tools.
GreyNoise’s Sift tool flagged just three anomalous HTTP POST requests targeting ASUS router endpoints, which led to the discovery of the campaign.
The subtlety of the attack is underscored by the fact that only 30 related network events were observed over three months, despite nearly 9,000 routers being compromised.
Indicators of Compromise and Mitigation Steps
The campaign’s scope is global, with Censys scans confirming nearly 9,000 affected ASUS routers as of May 27, 2025.
Key indicators of compromise include:
- SSH server running on TCP port 53282
- Unauthorized SSH public keys in the router’s configuration
- Disabled logging and security features
- Involvement of the following IP addresses:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
ASUS has patched CVE-2023-39780 and the initial authentication bypasses in recent firmware updates.
However, the SSH backdoor and configuration changes are not removed by firmware upgrades. If a router was compromised before updating, the backdoor will persist unless SSH configurations are manually reviewed and unauthorized keys removed.
Recommendations for users and administrators:
- Check for SSH access on TCP/53282.
- Review the
authorized_keysfile for unauthorized entries. - Block the listed malicious IPs at the network perimeter.
- If a compromise is suspected, perform a full factory reset and reconfigure the device manually.
This campaign highlights the increasing sophistication of router-based attacks and the importance of proactive monitoring, regular configuration reviews, and prompt application of security patches to defend against evolving threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
