“GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers”

[XIII]

Yet another one, or did we already know about this one?

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.

www.greynoise.io

 

[bbunge]

Looks like it is an old one from 2023. NIST has: https://nvd.nist.gov/vuln/detail/CVE-2023-39780
AX55 firmware 3.0.0.4.386.51598 cited.
Current Asus firmware: 3.0.0.4.386_53119

 

[dave14305]

But it sounds like even if you patched, the SSH keys would persist unless a factory reset or manual cleanup was done.

 

[RMerlin]

This article is about the malware itself, not about a new security issue. That malware is getting installed through brute forcing of the login, or through old security issues (one of them going back to 2023 - long fixed).

 

[sfx2000]

New report of an old CVE - good reminder that devices that are End of Support should be replaced sooner than later...

 

[bbunge]

This seems to be blowing up! Have seen a couple of news articles that picked up on GreyNoise article.
The sky is falling......

 

[RMerlin]

And once again people fail to understand what they read (assuming they actually READ the article and nost just the clickbait titles of news reports), and just get hit by the sensationalism behind it. So tired of this constantly repeating itself.

 

[Jbennett360]

So pretty much another case of 'Nothing to see here' if you're all up to date

 

[bennor]

RMerlin's comment from the other snbforums discussion in case people are not clicking on the link and reading the other discussion comments:

This article is about the malware itself, not about a new security issue. That malware is getting installed through brute forcing of the login, or through old security issues (one of them going back to 2023 - long fixed).

 

[bennor]

AyySSHush: Tradecraft of an emergent ASUS botnet – GreyNoise Labs

Using an AI powered network traffic analysis tool we built called SIFT, GreyNoise has caught multiple anomalous network payloads with zero-effort that are attempting to disable TrendMicro security features in ASUS routers, then exploit vulnerabilities and novel tradecraft in ASUS AiProtection...

www.labs.greynoise.io

In summary, we are observing an ongoing wave of exploitation targeting ASUS routers, combining both old and new attack methods. After an initial wave of generic brute-force attacks targeting login.cgi, we observe subsequent attempts exploiting older authentication bypass vulnerabilities. Using either of the above methods to gain privileged access to ASUS hardware, we observe payloads exploiting a command injection vulnerability to create an empty file at /tmp/BWSQL_LOG. This existence of a file at this path enables BWDPI logging, a TrendMicro feature embedded in ASUS routers.

Finally, we see remote SSH enabled on a high port TCP/53282 through the official ASUS settings with an attacker controlled public key added to the router’s keyring. This grants the attacker exclusive SSH access. Additionally, because the backdoor is part of the official ASUS settings, it will persist across firmware upgrades, even after the original vulnerability used to gain access has been patched.

 

[bbunge]

The sky is falling!
One router model. Firmware patched long ago...

 

[Jbennett360]

AyySSHush: Tradecraft of an emergent ASUS botnet – GreyNoise Labs

Using an AI powered network traffic analysis tool we built called SIFT, GreyNoise has caught multiple anomalous network payloads with zero-effort that are attempting to disable TrendMicro security features in ASUS routers, then exploit vulnerabilities and novel tradecraft in ASUS AiProtection...

www.labs.greynoise.io

Was there any comms from ASUS that routers needed to be wiped after the update that patched these issues?

 

[Jbennett360]

Pulled from another Forum:

It's an authentication bypass that Asus are responsible for, chained to a patched CVE which then provides persistent SSH access. Asus's firmware updates don't remove the SSH changes, and as far as I can tell there has been no mass communication from their side of "patch your router and then factory default it", so it's totally fair to lay the blame with Asus. One of the models is the RT-AX55 (https://www.asus.com/networking-iot...ries/rt-ax55/helpdesk_bios?model2Name=RT-AX55), where's the notice that there's a problem with it and it needs defaulting? There's no mention of any critical security flaws that have been resolved in the change log, so how are users meant to know about them? The technical writeup contains a review of some of the code that Asus are curling out, and it contains:

Authors Note: While not directly relevant to our current investigation, --no-check-certificate on the wget command means that your Google OAuth token is sent to a remote server without validating the SSL/TLS certificate. This has implications.

This is most likely because they don't want it to fail when the clock is set incorrectly because they are too lazy to handle that condition and suggest that the user might want to check the time, but it means that anyone can MITM the OAuth token because the router will just ignore cert errors. This stuff doesn't happen in a professional development environment, but it absolutely happens when people throw any old crap together until it compiles without errors and then ships it.

 

[dave14305]

This would be a good time for the asd security daemon to detect and remove the malicious ssh key from the infected routers.

 

[Jbennett360]

The sky is falling!
One router model. Firmware patched long ago...

Multiple ASUS Routers Impacted by New Security Vulnerability

Customers of ASUS' popular WiFi and broadband routers have been advised to ensure that they're on the latest firmware (software update) after security researc

www.ispreview.co.uk

The vulnerability appears to impact multiple models of routers from ASUS, such as the RT-AX55, RT-AX59U, RT-AX86 and many more. But we haven’t yet found a full and confirmed list.

However, the bad news is that the attacker’s SSH configuration changes are NOT removed by firmware upgrades. Put another way, if a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.

 

[bbunge]

Multiple ASUS Routers Impacted by New Security Vulnerability

Customers of ASUS' popular WiFi and broadband routers have been advised to ensure that they're on the latest firmware (software update) after security researc

www.ispreview.co.uk

The vulnerability appears to impact multiple models of routers from ASUS, such as the RT-AX55, RT-AX59U, RT-AX86 and many more. But we haven’t yet found a full and confirmed list.

However, the bad news is that the attacker’s SSH configuration changes are NOT removed by firmware upgrades. Put another way, if a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.

This is not an epidemic but another case of the "news" media flogging something to death to "sell" copy. At the worse this is limited to un-patched routers. Somewhere I saw an estimate of five to six thousand routers of one model number. The regulars here have nothing to worry about. The owners of the vulnerable/infected routers have no clue that they needed to do updates (My guess is this is over 90% of home users). There is nothing we can do for those poor souls. We need to keep our own home and business networks save and updated. Yes, talking network security is a good thing but those 90% just do not care. Spend some time in a cell phone store, a Best Buy or Staples and you will be amazed at the ignorance of people who use these high tech products!

 

[RMerlin]

However, the bad news is that the attacker’s SSH configuration changes are NOT removed by firmware upgrades

No malware is ever removed by a firmware upgrade. Just like viruses won't disappear from a Windows PC just becaue you install a Windows update. You still need to clean it up. In the case of a router, that means doing a factory default reset. Nothing unusual there.

 

[dave14305]

Running Skynet with securemode enabled (the default) would have also disabled SSH WAN access once you were infected.

 

[Pocah.H]

ASUS router backdoors affect 9K devices, persist after firmware updates

Authentication bypass and command injection flaws facilitate the malicious activity.

www.scworld.com

Can anyone shed light on what this really means? It's all gobbledygook to me, but sounds serious!

Is there anything we can do to reduce the problem?

 

[popxunga]

This article is about the malware itself, not about a new security issue. That malware is getting installed through brute forcing of the login, or through old security issues (one of them going back to 2023 - long fixed).

Hi ...
May someone please confirm if the patch for CVE-2023-39780 is included in the 386.14.2 firmware version ?
The article refers other vulnerabilities without CVE # assigned. Is there any info on those ?
Thank you.