• Researchers' discovery: Thousands of Asus home and small office routers are infected with a stealthy backdoor that can survive reboots and firmware updates. Unknown attackers exploit now-patched vulnerabilities (some not tracked through CVE system) to gain access and install an SSH access public encryption key.
• Durable control details: The attacker's access endures reboots and firmware updates, maintaining long-term control by chaining authentication bypasses and exploiting a known vulnerability. GreyNoise has tracked about 9,000 backdoored devices globally, and the number is growing. The hacks seem to be the start of accumulating compromised devices. GreyNoise detected the campaign in mid-March and notified unnamed government agencies before reporting.
• Related security reports: This activity is part of a larger campaign reported by Sekoia last week. Network intelligence firm Censys' Internet scanning suggests up to 9,500 Asus routers may be compromised by ViciousTrap. Attackers exploit multiple vulnerabilities like CVE-2023-39780 (command-injection flaw patched by Asus) and other patched but un-CVE-tracked vulnerabilities.
• How to check and remove: Router users can check SSH settings in the configuration panel. Infected routers show they can be logged in via SSH on port 53282 using a specific digital certificate. Infected users should remove the key and port setting. System logs indicating access through certain IP addresses can also indicate being targeted. All router users should ensure timely security updates.