Asus has issued multiple statements regarding a highly publicized botnet attack infecting over 9,000 routers to date. Per our previous reporting, the "AyySSHush" botnet has infected its hosts through a mix of brute-force attacks and authentication bypasses, and hides its backdoor in non-volatile memory, thus attempting to hide from firmware updates and refreshes.
In an official statement regarding the insecurity, Asus told Tom's Hardware that the vulnerabilities can be avoided for those yet uninfected, and fixed for those routers that have been compromised. The hostile agents utilize a known command injection flaw, CVE-2023-39780, to enable SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for remote access.
This exploit has been patched in the latest Asus firmware update, and as such, Asus advises all users of its routers to update their firmware. After this, Asus advises a factory reset, followed by adding a strong administrator password. For those users with routers that have reached end-of-life support, or those who are tech-savvy enough to open up their router settings and wish to avoid a factory reset, Asus recommends "disabling all remote access features such as SSH, DDNS, AiCloud, or Web Access from WAN, and confirming that the SSH (especially TCP port 53282) is not exposed to the Internet."
The AyySSHush botnet was first discovered by security firm GreyNoise in March, making its findings public in May, via alerts thrown up by its proprietary AI monitoring technology, Sift. GreyNoise categorizes the attackers responsible for the botnet as "a well-resourced and highly capable adversary", though without making any accusations about who the attackers were. A Censys search of the affected routers, which at the time of writing numbers above 9,500, can be found here. To date, activity from the botnet has been minimal, with only 30 related requests registered across three months.
In further comment specifically sent to Tom's Hardware, Asus adds that it sent push notifications to applicable users alerting them to update their firmware once the exploit became widely known. Users also have resources, including Asus's product security advisory page and an updated knowledge base article covering the exploit specifically.
Asus also claims to have been working to update firmware on models, including the RT-AX55 router, well before the GreyNoise report went up to protect against this known vulnerability. This is a key detail from the company, as CVE-2023-39780 reporting shows that Asus had been made aware of the vulnerability before the most recent GreyNoise report went out.
Any concerned Asus router users should confirm that their SSH is not exposed to the internet, and are advised to check their router's log for repeated login failures or unfamiliar SSH keys indicating a past brute-force attack. Leaving routers exposed to WAN access and the open internet is a recipe for disaster, and nearly all routers infected by the botnet were likely operating under highly vulnerable, unsafe conditions caused by end users. Still, as with all web security matters, it is better to be safe than sorry, and to ensure routers and other web-connected devices are operating on modern firmware.
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
