GreyNoise Flags 9,000 ASUS Routers Backdoored Via Patched Vulnerability

Threat intelligence firm GreyNoise on Wednesday lifted the lid on a stealth malware campaign that has quietly converted thousands of internet-facing ASUS home and small-office routers into backdoor nodes since at least mid-March. 

In an advisory coordinated with government and industry partners, the Washington-based GreyNoise said unidentified attackers are chaining a mix of brute-force logins, two older authentication bypass flaws and a 2023 command-injection bug to seize full control of the devices, then using legitimate configuration settings to lock in that access. 

The result is what GreyNoise calls ‘AyySSHush’, a network of routers that can survive firmware upgrades, factory reboots and most anti-malware scans, ideal real estate for a future botnet or relay infrastructure for professional hacking teams.

Using scan data from Censys, GreyNoise estimates about 9,000 ASUS routers are confirmed compromised.

Separately, French security research firm Sekoia warned that a Chinese-speaking threat actor called ‘ViciousTrap’ has compromised more than 5,500 edge devices, turning them into honeypots.

Sekoia said more than 50 brands, including SOHO routers, SSL VPNs, DVRs, and BMC controllers, are being monitored by this actor, possibly to collect data on vulnerabilities and exploits affecting these systems.

SecurityWeek sources say the two discoveries are connected.

According to GreyNoise, an internal “Sift” anomaly-detection engine flagged three unusual HTTP POST requests aimed at fully emulated ASUS routers inside the company’s sensor grid. 

The company’s researchers reconstructed an attack chain that toggles built-in AiProtection functions, enables SSH on TCP port 53282, and plants an attacker-controlled public key in non-volatile memory. Because the tweak is saved in NVRAM rather than on disk, GreyNoise found that the backdoor persists even after administrators patch the vulnerable firmware or power-cycle the router. 

The attackers were also observed disabling logging to cover their tracks.

At the centre of the exploitation chain is CVE-2023-39780, a command-injection flaw in multiple ASUS router lines that the vendor quietly patched in recent firmware images. GreyNoise says the attackers start by guessing weak credentials or leveraging two unassigned authentication bypass tricks to reach an administrative endpoint. The already-patched security bug is then exploited to run system commands.

“The tactics used in this campaign (stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection) are consistent with those seen in advanced, long-term operations,”GreyNoise warned.

“The level of tradecraft suggests a well-resourced and highly capable adversary,” the company added. 

Related: Chinese UEFI Rootkit Found on Gigabyte and Asus Motherboards

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Related: FBI Disables “Cyclops Blink” Botnet Controlled by Russian Intelligence Agency

Related: Chinese Spies Built Massive Botnet of IoT Devices to Target US, Taiwan Military