Thousands of Asus Routers Have Been Hijacked, But I Wouldn’t Panic Just Yet

News Room
News Room Technology
6 Min Read
Thousands of Asus Routers Have Been Hijacked, But I Wouldn’t Panic Just Yet

Your Asus Wi-Fi router may have been hacked, according to a new blog post from the cybersecurity firm GreyNoise.

As of May 27, over 9,000 Asus routers have been confirmed compromised in what the firm characterizes as an “ongoing exploitation campaign.” 

GreyNoise has been tracking the attack since Mar. 17. In the months since, they’ve only seen 30 requests related to the attack, which indicates how quietly the campaign is operating. The attackers have maintained access to affected routers even after reboots and firmware updates, “giving them durable control over affected devices,” the blog post says. 

While that sounds pretty scary, you probably don’t need to replace your router just yet. Your personal data isn’t the target in attacks like these. Instead, the attacker uses infected devices as pawns in a larger game.  

“These compromised IoT devices, like smart cameras or a router, have enough computational power that you can use networks of tens of thousands of them to do a denial of service attack,” Yuvraj Agarwal, a computer science professor at Carnegie Mellon, told CNET. 

He compared it to the infamous Mirai botnet attack from 2016 that temporarily took down websites like Twitter, Netflix, Reddit and Pinterest.

“It’s not trying to compromise your laptop or your iPhone, right? That’s not what it’s doing,” Agarwal added. “Users would have to ignore a few different safeguards for them to be vulnerable to somebody stealing their credentials.”

GreyNoise didn’t say exactly where it thinks the attack is coming from, but did note that “the level of tradecraft suggests a well-resourced and highly capable adversary.”

The Cybersecurity and Infrastructure Security Agency (CISA) has named China, Russia, North Korea and Iran as likely actors in similar attacks in the past. Few Wi-Fi routers have been immune to such breaches. CISA keeps a list of Known Exploited Vulnerabilities (KEV) that have been observed in the wild, and almost every router manufacturer appears on there somewhere.

“We find stuff in everything,” said Thomas Pace, CEO of cybersecurity firm NetRise and former security contractor for the Department of Energy, in a previous interview. 

“The problem with the CISA KEV [list] is, if everything’s on the list, how good is that list?” Pace added. “Basically, every telecommunications device on the planet has at least one vulnerability on the CISA KEV.”

While it first observed the attack in March, GreyNoise said it waited until now to release its findings so it could coordinate with government and industry partners.

A representative for Asus declined CNET’s request for comment on this story and referred me to their product security advisory page for the latest updates. 

What to do if you own an Asus router

In most attacks, the router manufacturer can issue a firmware update that fixes the vulnerability. But in this case, the attackers exploited a security flaw that allows them to retain backdoor access even after reboots and firmware updates. 

“Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades,” GreyNoise noted in another post. “If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.”

The steps you’ll need to take to find out if your router has been compromised — and potentially fix it — are fairly technical, so bear with me here. 

  1. Log into your router’s firmware. You can do this via the Asus app or by going to http://www.asusrouter.com.
  2. Find the “Enable SSH” option under Service or Administration settings.
  3. If your router was breached in this campaign, these settings will show that someone can log into it using SSH over port 53282 with a truncated SSH public key of: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ… 

If your router hasn’t been infected, your next step will be to update the firmware immediately. Asus fixed the flaw with its latest update, which should take care of it. 

If your router has been infected, the backdoor will still be there even if you update the firmware. In that case, you’ll need to follow these steps to block unauthorized access:

  1. Disable SSH in the Service or Administration settings.
  2. Block these four IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237.
  3. Restore the router to factory settings.
  4. Update to the latest firmware.



Read the full article here

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *