Asus router backdoors affect 9K devices, persist after firmware updates

4 months ago 44

Thousands of ASUS routers have been compromised with malware-free backdoors in an ongoing campaign to potentially build a future botnet, GreyNoise reported Wednesday.

The threat actors abuse security vulnerabilities and legitimate router features to establish persistent access without the use of malware, and these backdoors survive both reboots and firmware updates, making them difficult to remove.

The attacks, which researchers suspect are conducted by highly sophisticated threat actors, were first detected by GreyNoise’s AI-powered Sift tool in mid-March and disclosed Thursday after coordination with government officials and industry partners.

Sekoia.io also reported the compromise of thousands of ASUS routers in their investigation of a broader campaign, dubbed ViciousTrap, in which edge devices from other brands were also compromised to create a honeypot network.

Sekoia.io found that the ASUS routers were not used to create honeypots, and that the threat actors gained SSH access using the same port, TCP/53282, identified by GreyNoise in their report.

Attackers gain access, execute commands via known vulnerabilities

The backdoor campaign targets multiple ASUS router models, with GreyNoise initially detecting attack attempts against their emulated ASUS RT-AC3200 and RT-AC3100 firmware profiles, both with “out-of-the-box” configuration settings.

Initial access is gained through a combination of credential brute-forcing and exploitation of authentication bypass flaws, which are patched but have not been assigned CVEs, according to GreyNoise.

Authentication bypass techniques used include impersonation of the ASUS user-agent “asusrouter--” and the use of an “asus_token=” cookie followed by a null byte, which may prematurely terminate string parsing during the authentication process and lead to authentication bypass on vulnerable systems, according to GreyNoise’s technical analysis.

Sekoia.io also noted the exploitation of CVE-2021-32030 in their observations, an authentication bypass flaw specifically affecting ASUS GT-AC2900 and Lyra Mini devices.

Once the attacker gains authenticated access, they exploit built-in settings and security flaws to establish an SSH connection at TCP/53282 along with an attacker-controlled public key for persistent, remote access.

On ASUS RT-AX55 models that have not received a patch for the vulnerability tracked as CVE-2023-39780, the attackers exploit this command injection vulnerability to activate an embedded logging feature called Bandwidth SQLite Logging (BWSQL). Code used by this logging feature allows for the execution of user-controlled data, expanding the attacker’s ability to inject malicious commands.

Factory reset recommended for compromised devices

The backdoor configuration in these attacks is stored in non-volatile random access memory (NVRAM) rather than the disk, making it resistant to removal via reboots or firmware upgrades.

“If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed,” GreyNoise stated.  

GreyNoise recommends users perform a full factory reset and manual reconfiguration on any device suspected to be compromised. Users can check if their device was compromised by checking for SSH access on TCP/53282 and for unauthorized entries in the authorized_keys file.

Organizations should also block the known malicious IP addresses identified in GreyNoise’s and Sekoia.io’s reports and ensure their devices are fully updated to patch any security vulnerabilities that may be used by the attackers.

Get essential knowledge and practical strategies to fortify your network security.

Read Entire Article