EOL ASUS routers affected by TheMoon malware

[XIII]

EOL ASUS routers affected by TheMoon malware:

The Darkside of TheMoon - Lumen

Executive Summary The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. TheMoon, which emerged in 2014, has been operating...

blog.lumen.com

 

[bennor]

Yeah was mentioned in the RT-AC68U EOL thread earlier:
https://www.snbforums.com/threads/rt-ac68u-end-of-life-announced-by-asus.89314/post-899793
The BleepingComputer article in that post indicated; "researchers do not specify the exact method used to breach the ASUS routers".

 

[RMerlin]

That article contains zero information as to what devices are susceptible. An RT-N16 also counts as an EOL device, for that matter.

If the author was able to state that EOL devices are targeted, then he should be able to state actual model names, unless he is only speculating...

 

[XIII]

That article contains zero information as to what devices are susceptible.

I was also disappointed about that.

They did mention this:

Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.

I wonder how they measured that.

 

[Intrepid]

Speculation: TheMoon spreads via a worm component that scans for vulnerable web servers, so if Access from WAN is Off along with the other router external hardening the risk is reduced significantly. Assumes Current Firmware, Unique Username & Password, and all of this OFF: Access from WAN, Respond to Ping, Telnet, SSH, Port Forwarding, UPnP, and any other insecure setting.

See:

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

A new variant of "TheMoon" malware botnet has been spotted infecting thousands of outdated small office and home office (SOHO) routers and IoT devices in 88 countries.

www.bleepingcomputer.com

Also See: https://blog.lumen.com/the-darkside-of-themoon/

 

[RMerlin]

Yes. In the past there has been a few scaremonging articles that failed to mention that the attack vector was "brute force attack against weak passwords", which isn't really a device vulnerability, but just user stupidity...

 

[glens]

Or otherwise known as the i d 10 t factor.

 

[sfx2000]

Remember, this is not a "new" issue - it's getting press at the moment...

Key take-aways from this are:

1) Keep your firmware up to date
2) Don't use default passwords (and usernames if the platform allows it)
3) Keep exposed services to a minimum - most folks don't need to open any router based services to the internet
4) If your HW is EOL/EOS, it's a good thing to move on to newer hardware

 

[KrypteX]

Say what you will, but this is the kind of stuff why I'm in the process of getting rid of all Broadcom-based Asus devices (of mine, friends or clients') and switching to OpenWrt.
As long as the router has at least 8 or 16 MB of flash, there's really no such thing as EOL or lack of support with OpenWrt (even for WiFi 4, i.e. N devices).

Don't say I didn't warn you guys...

 

[Intrepid]

Which Asus routers don't support OpenWrt? The EOL RT-AC68U does. Will updated OpenWrt firmware still be produced for it...?

 

[L&LD]

Thanks for the warning. Good luck with OpenWrt.

 

[KrypteX]

Thanks for the warning. Good luck with OpenWrt.

Thanks. No luck, it just works. Forever.

 

[KrypteX]

Which Asus routers don't support OpenWrt? The EOL RT-AC68U does. Will updated OpenWrt firmware still be produced for it...?

Take a closer look and you will see that most (if not all) Broadcom-based Asus routers' WiFi is NOT supported (AC68U included).

 

[bennor]

Which Asus routers don't support OpenWrt? The EOL RT-AC68U does.

A word of note: https://openwrt.org/toh/asus/rt-ac68u

WiFi for the AC68U is completely unsupported! 2.4Ghz WiFi is not partly supported as was previously thought! See here: https://forum.openwrt.org/t/broadco...king-drivers-but-i-cant-get-it-to-work/103505

 

[coxhaus]

Wow. I just read this. This says 7000 routers per week are being added. And it is due to not fixing some vulnerability which allows them to deploy the malware.

MSN

 

[bennor]

Wow. I just read this. This says 7000 routers per week are being added. And it is due to not fixing some vulnerability which allows them to deploy the malware.

MSN

Similar useless scare article that lacks any detailed information like the one's already posted earlier. No information on exactly how the routers are being exploited and which specific routers are affected. Just "speculation" and "other methods" like brute forcing the router password.

 

[coxhaus]

Similar useless scare article that lacks any detailed information like the one's already posted earlier. No information on exactly how the routers are being exploited and which specific routers are affected. Just "speculation" and "other methods" like brute forcing the router password.

It does not say password changes but lack of fixing their code vulnerabilities'. As I remember over past years ASUS chooses which vulnerabilities they fix. They don't just fix all of them. What it sounds like to me one of their not fixed vulnerabilities is biting them in the butt. And they do not want to spend the money to fix it. They would rather have people buy new routers as it makes them more money.

 

[northumberland]

Fresh Tomato on my old AC88U, everything works though I did need to fiddle, reverse the port order or something as I recall. Really it was smooth though,