It seems like someone, possibly nation-state hackers, is building a botnet out of thousands of Asus routers that can withstand firmware patches and reboots. Researchers report that about 9,000 routers have been infiltrated, and the figure is still rising.
GreyNoise, a security firm, warned on Tuesday that attackers utilise a combination of known and previously undisclosed vulnerabilities to attack routers, including a command injection vulnerability identified as CVE-2023-39780. The tradecraft involved implies "a well-resourced and highly capable adversary," maybe building an operable relay box.
ORBs are a strategy used by advanced persistent threat groups, including intelligence agencies around the world, to conceal malicious behaviour by routing internet traffic through a network of compromised Internet of Things devices. One cybersecurity firm characterises them as the offspring of a VPN and a botnet.
GreyNoise discovered the effort on March 18 and named the technique employed to backdoor the routers "AyySSHush." The intrusion chain starts with brute-force login attempts and two authentication bypass methods with no corresponding CVEs. After gaining access, attackers use CVE-2023-39780 to activate a security mechanism included into Asus routers by TrendMicro.
The functionality enables "Bandwidth SQLlite Logging," which lets perpetrators feed a string directly into a system() call. With that power, attackers can enable a secure shell and connect it to a TCP port, along with an attacker-controlled public key. That is the step that renders firmware updates ineffective against the hack.
"Because this key was introduced using official ASUS features, the configuration change is retained across firmware upgrades. "If you've been exploited before, upgrading your firmware will NOT remove the SSH backdoor," Remacle warned. As of publication, Censys' search had identified 8,645 infected routers.
ASUS addressed CVE-2023-39780 in recent firmware upgrades. However, machines compromised prior to patching may still contain the backdoor unless administrators verify SSH setups and remove the attacker's key from them. For potential compromises, GreyNoise recommends performing a full factory reset.