“GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers”

[RMerlin]

That CVE is from September 2023. 386.14_2 was released over a year later, in November 2024.

 

[popxunga]

That CVE is from September 2023. 386.14_2 was released over a year later, in November 2024.

I'm taking your answer as a Yes.
Thanks for your reply.

 

[gp-se]

So having the latest firmware installed and performing a factory reset is all that is needed to avoid this issue?

 

[randomName]

So having the latest firmware installed and performing a factory reset is all that is needed to avoid this issue?

That's my understanding.

 

[joegreat]

So having the latest firmware installed and performing a factory reset is all that is needed to avoid this issue?

AND: Disable the WAN-Acces to router - why the hell you have it turned on?

 

[gp-se]

AND: Disable the WAN-Acces to router - why the hell you have it turned on?

I would never turn that on, I keep most settings at default. Good to know my router is safe.

 

[dave14305]

Seems the last persistent vulnerability is in the human owning the router and setting the password to something strong enough to resist brute force login attempts.

• Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.

 

[randomName]

So passwords like 'sm3llmyf4rt5" are no good?

Damn, foiled again!

 

[ibex]

Same article from LifeHacker which gives more technical explanation If You Have an Asus Router, You Need to Check If It's Been Hacked

I think I am not affected b/c the "hacker SSH key" is not in my system. However I am a bit confused. Can you please guide me through a proper fix. Here is my current config:

• Asus RT-AZ86U Pro, stock firmware 3.0.0.6.102_34349
• Router Login Password = 28 chars, totally random lower, upper, digits, symbols
• System settings: Telnet = No, SSH = LAN Only, Pwd Login = no
• Authorized Keys = only mine (ssh-ed25519)
• Enable Web Access from WAN = no
• Enable Access Restrictions = no

Q1. From the article "GreyNoise says attackers used brute-force login attempts (running millions of login attempts until the right match is found) and authentication bypasses (forcing your way in around traditional authentication protocols) to break into these routers". Is it true there is a way to bypass the complexity of the pwd? I could disable SSH on LAN as well but I am a CLI type of person. I like to tinker with the terminal. Hope it is OK.

Q2. The author recommends blocking incoming requests from 4 IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, 111.90.146.237. Can I go a bit more strict? Block ALL unsolicited incoming requests. The way I use my router, the only legitimate incoming traffic is a response to an outgoing request originated from the home network. If "blocking all unsolicited incoming requests" is a valid security setting, can you please show me how to do that? Attached is a screenshot showing the Firewall settings. All default, excepted "Enable DoS protection" has been enabled.

 

[dave14305]

If "blocking all unsolicited incoming requests" is a valid security setting, can you please show me how to do that?

This is the default behavior of the firewall. But when the exploit enables SSH on WAN, it opens the firewall for the SSH port.

 

[ibex]

This is the default behavior of the firewall. But when the exploit enables SSH on WAN, it opens the firewall for the SSH port.

As unsollicited incoming requests are dropped by default, I assume Asus routers are immune to the attack described by GreyNoise. So the 9000+ routers which are reported as "infected" are those where the user had explicitly changed the config to allow SSH from WAN, right?

Unless there is another exploit? Which can bypass Asus default settings in maybe old Asus firmware? If so since when (or which stock firmware version) that exploit has been fixed?

 

[dave14305]

As unsollicited incoming requests are dropped. If the exploit could do anything to configure the router, does that mean there was/is a security defect somewhere that allow to bypass the firewall?

Based on the write up, the bad guys used another exploit to enable SSH over the WAN using the normal firmware setting. This firmware setting for SSH over the WAN informs the firewall to accept incoming WAN connections on the SSH port. That is normal firmware functionality. Gaining access to the router in the first place is the scary exploit; the persistent SSH access is just the evidence of the exploit.