Asus addresses protests about over 9,000 routers infected with botnet; router purification through firmware updates and factory reset announced.
Asus Tackles Aggressive Botnet Infection of Over 9,000 Routers
Here's the scoop on the ongoing AyySSHush botnet attack that's been wreaking havoc on Asus routers.
Reports Flood In
As per our earlier investigations, the "AyySSHush" botnet has infected thousands of routers by means of brute-force attacks and authentication bypasses. It leaves a sneaky backdoor in non-volatile memory to shrug off firmware updates and refreshes.
In an official statement to Tom's Hardware, Asus acknowledged the threat, assuring that appropriate measures have been set up to help keep users secure. They urge those yet uncontaminated to follow preventative steps, while providing remedies for infected routers.
Breakdown of the Attack
The malicious agents exploit a known command injection flaw, CVE-2023-39780, to create SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for remote access. Fortunately, Asus has already patched the vulnerability in its latest firmware update, advising all users to promptly update their routers.
Following the update, Asus suggests resetting the factory settings and creating a robust administrative password. For tech-savvy users with end-of-life supported routers, Asus recommends disabling all remote access features like SSH, DDNS, AiCloud, or Web Access from WAN, and ensuring that SSH (especially TCP port 53282) is not exposed to the internet.
Origin Story
Security firm GreyNoise first detected the AyySSHush botnet in March and made its findings public in May through alerts generated by its proprietary AI monitoring technology, Sift. GreyNoise classifies the attackers as a well-equipped and skilled adversary, although they stopped short of pointing fingers at any specific parties.
As of now, botnet activity has been fairly limited, with just 30 related requests registered over three months. A Censys search of infected routers, currently surpassing 9,500, can be found here.
In response to Tom's Hardware's queries, Asus confirmed that they had sent out push notifications alerting users to update their firmware once the exploit gained notoriety. They also offered resources, including their security advisory page and an updated knowledge base article specifically addressing the vulnerability.
A Brief History
Asus claims to have been actively working on updating firmware for affected models, such as the RT-AX55 router, well ahead of the GreyNoise report. This is crucial information, as CVE-2023-39780 reports reveal that Asus had been apprised of the vulnerability before the GreyNoise report went live.
Concerned Asus router owners should check whether their SSH is exposed to the internet, and keep an eye out for repeated login failures or unfamiliar SSH keys which may indicate a past brute-force attack. Maintaining an open WAN access with your router invites risks, and routers infected by the botnet were likely operating under extremely vulnerable conditions due to negligent end-users. As always in the realm of cybersecurity, it's better to be safe than sorry, and to make sure routers, along with all web-connected devices, run on modern firmware.
Stay Connected for More Insights
Stay connected with us for the latest news, comprehensive reviews, and cutting-edge insights. Don't forget to follow us on Google News to get timely updates, expert analysis, and reviews straight into your feeds. Click the Follow button to subscribe!
Asus encouraged users to follow preventative steps in data-and-cloud-computing to protect their routers from the AyySSHush botnet, including updating their routers and implementing strong administrative passwords. The technology used to initially detect the AyySSHush botnet was AI monitoring software in cybersecurity.
