Thousands of ASUS Routers Hijacked in Stealthy Backdoor Campaign

A recent discovery by cyber intelligence firm GreyNoise has revealed a sophisticated and ongoing backdoor campaign targeting approximately 9,000 ASUS routers. The attack, which began on March 18, uses the routers' own legitimate features to create persistent backdoors that survive firmware updates and reboots.

The methods employed during this campaign mirror those typically associated with advanced persistent threat (APT) actors using operational relay box (ORB) networks. Although GreyNoise has not made any attributions, the degree of operational skill exhibited implies that the perpetrator is a formidable and well-funded opponent.

Targeting ORB devices has recently been a typical cyber espionage tactic deployed by Chinese-sponsored hackers. The ASUS Router Exploitation Campaign's intrusion chain, analyzed by GreyNoise, unfolds in the following steps:

The infection chain begins with the attacker exploiting vulnerabilities in ASUS routers to disable TrendMicro security features. This is followed by the use of novel tradecraft in ASUS AiProtection features on those routers.

The attack then moves on to configure the SSH settings to prevent removal by firmware updates, leaving a persistent backdoor that can be used for future malicious activities. GreyNoise noted that while ASUS patched CVE-2023-39780 in a recent firmware update, the attacker's SSH configuration changes cannot be removed by the update.

The initial login bypass techniques are patched but do not have assigned CVEs. GreyNoise initially deferred disclosure of this investigation to inform government and industry partners before sharing its findings with the public on May 28.

A Growing Threat Landscape

As of May 27, approximately 9,000 routers have been affected, with the number steadily increasing. The campaign appears to be part of a stealth operation to assemble a distributed network of backdoor devices, potentially laying the groundwork for a future botnet.

GreyNoise shared its findings in a companion technical analysis by GreyNoise Labs. Cyber threat intelligence firm Sekoia also announced the compromise of ASUS routers as part of a campaign it called "ViciousTrap" on May 22.

Mitigating the Threats

GreyNoise provided a list of recommendations to mitigate the threats posed by this malicious exploitation campaign:

Read now: New Chinese Hacking Campaign Targets Manufacturing Firms to Steal IP