US



US
BigGo MagAbout UsJoin usContact UsUser TermsSupport Center
© 2025 BigGo
Install
BigGo Shopping Assistant
News
Tech
Security
Computer Components
Network Device

Thousands of Asus Routers Compromised in Sophisticated Botnet Campaign

BigGo Editorial Team
Thousands of Asus Routers Compromised in Sophisticated Botnet Campaign

A large-scale cyberattack has compromised over 9,000 Asus routers worldwide, with security researchers warning that the campaign appears to be the work of highly sophisticated threat actors. The attack represents a concerning escalation in router-based cybercrime, utilizing advanced techniques to establish persistent backdoors that survive firmware updates and system reboots.

Attack Scale and Impact

  • Over 9,000 Asus routers confirmed compromised
  • Number continues to grow according to Censys internet scanner data
  • Only 30 access attempts observed over 3 months, indicating slow, deliberate campaign
  • Attack discovered by GreyNoise on March 18, 2024

Advanced Attack Methods Target Router Vulnerabilities

The cybercriminals employed a multi-pronged approach to gain unauthorized access to Asus routers. They combined traditional brute-force login attacks with sophisticated authentication bypass techniques, exploiting both known and previously undisclosed vulnerabilities. The primary exploit leveraged CVE-2023-39780, a command injection flaw that allowed attackers to execute arbitrary system commands once they gained initial access to the devices.

What sets this campaign apart is the attackers' methodical approach to maintaining long-term control. Rather than immediately installing obvious malware, they focused on establishing persistent backdoors using the routers' built-in SSH functionality. This stealthy approach makes detection significantly more challenging for average users who might not notice unusual network behavior.

Technical Details of the Attack

  • Primary vulnerability exploited: CVE-2023-39780 (command injection flaw)
  • Additional undisclosed vulnerabilities also exploited
  • SSH access established on port 53282
  • Backdoor stored in non-volatile memory (NVRAM)
  • Logging disabled to avoid detection
  • Truncated SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ...

Persistent Backdoors Survive Standard Security Measures

The most concerning aspect of this attack is the persistence of the installed backdoors. The attackers stored their access mechanisms in the router's non-volatile memory (NVRAM), ensuring that standard remediation efforts like rebooting or updating firmware would not remove their unauthorized access. They also disabled logging functions to cover their tracks, making it difficult for users or security professionals to detect the compromise.

Security firm GreyNoise, which discovered the campaign in March 2024, observed that the attackers established SSH access through port 53282 using a specific truncated public key. The relatively low number of access attempts witnessed over three months suggests the operation is proceeding deliberately and quietly, consistent with long-term strategic objectives rather than immediate financial gain.

Nation-State Involvement Suspected

The sophistication and methodical nature of the attack has led security researchers to suspect involvement by advanced persistent threat (APT) actors, potentially linked to nation-state operations. GreyNoise described the adversary as well-resourced and highly capable, noting that the tactics align with those typically employed by operational relay box (ORB) networks used by government-sponsored hacking groups.

While no specific attribution has been made, such campaigns have historically been associated with cyber operations from countries including China, Russia, North Korea, and Iran. The focus on building a distributed network of compromised devices suggests the attackers are laying groundwork for future large-scale operations rather than seeking immediate monetary returns.

Immediate Action Required for Router Owners

Asus router owners should immediately check their devices for signs of compromise by examining the SSH settings in their router's administration panel. Compromised devices will show SSH enabled on port 53282 with the specific truncated public key beginning with ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ...

For uncompromised routers, updating to the latest firmware will provide protection against the CVE-2023-39780 vulnerability. However, already compromised devices require more extensive remediation. Users must manually remove or disable the malicious SSH entries and block the four identified command-and-control IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237.

Remediation Steps for Asus Router Owners

  1. Check SSH settings in router administration panel for unauthorized access
  2. Update firmware immediately if device is uncompromised
  3. Remove/disable malicious SSH entries if compromised
  4. Block the four identified malicious IP addresses
  5. Perform factory reset and manual reconfiguration for compromised devices
  6. Use strong, unique administrative passwords
  7. Disable remote management if not needed

Factory Reset Recommended for Compromised Devices

For routers that have already been compromised, Asus recommends performing a complete factory reset followed by manual reconfiguration to ensure no traces of the backdoor remain. This more drastic step is necessary because the persistent nature of the backdoor means it can survive standard firmware updates.

The incident serves as a stark reminder of the critical importance of router security in protecting home and business networks. Regular firmware updates, strong administrative passwords, and periodic security audits of network devices are essential practices for maintaining cybersecurity in an increasingly connected world.

Related News