Malware damaging ASUS routers?

[niftyas]

Hi all, just curious would this still be an issue if the router was on the latest firmware patch already?

Mine decided to kick the bucket yesterday and only stumbled across this post (wifis dead, everything else works and logs complain about getting crda(?) info but timing out. It’s the RT-AX86U.

Thanks for this pretty awesome community!

 

[RMerlin]

Hi all, just curious would this still be an issue if the router was on the latest firmware patch already?

The root cause is a hacker getting access to the router and installing its payload. That access method can vary, from being a vulnerability in older AiCloud versions, up to people simply having weak, easily brute-forced passwords and leaving webui and/or ssh accessble from the WAN.

So basically, you could be running a bleeding edge firmware version, you would still be at risk if your webui can be reached over the Internet. Or if your web browser was compromised.

 

[niftyas]

Thanks @RMerlin ! I'm on a loan router at the moment... I'm guessing this would help? I'm behind a CGNAT with my ISP would that potentially make a difference too? Thanks for sharing your knowledge with a newbie!

 

[RMerlin]

Thanks @RMerlin ! I'm on a loan router at the moment... I'm guessing this would help? I'm behind a CGNAT with my ISP would that potentially make a difference too? Thanks for sharing your knowledge with a newbie!

View attachment 68895

If you are behind CGNAT then you should be fine in theory.

Be careful with access restrictions - it requires you to enter the IP address of your LAN PCs in the list below, otherwise you will lose access to your router, and will be forced to do a factory default reset. That option shouldn't be necessary if your router is only accessible from the LAN.

 

[jial]

Hi all, newbie here who happened to stumble upon this thread while reading about an ASUS router that I was planning on purchasing.

Are there any guidelines on best practice settings or steps I should take to minimise the possibility of this happening if I do purchase the router?

Thanks in advance!

 

[ColinTaylor]

Hi all, newbie here who happened to stumble upon this thread while reading about an ASUS router that I was planning on purchasing.

Are there any guidelines on settings or steps I should take if I do purchase the router?

Thanks in advance!

Just keep the router's firmware updated and follow the usual personal behaviour to minimise the risk of malware/viruses on your devices.

 

[bennor]

Are there any guidelines on best practice settings or steps I should take to minimise the possibility of this happening if I do purchase the router?

Same security suggestion as with any internet facing device. Keep the firmware updated to the latest, and limit or block any access to the router/device from the internet side.

One of the ways it is thought routers were affected by the malware discussed in this thread is through the Asus AiCloud feature on the router. The AiCloud feature, when enabled, allows remote (off site) access to a USB drive attached to the router and or local network devices behind that router. It is also generally advised to disable WAN/internet facing access to SSH and the router's login administration page.

PS: What follows is typically what Asus suggests for their EOL routers which is a good starting point and enable only those services that are explicitly needed.

Disable any services accessible from the internet, including:
1. AiCloud
2. Remote access from WAN
3. Port forwarding
4. DDNS
5. VPN server
6. DMZ
7. Port triggering
8. FTP

 

[Kingp1n]

Disable any services accessible from the internet, including:

2. Remote access from WAN

Thanks for this. I recently reinstall the Asus app and didn't realize I accidentally chose to enable remote access/connection. It's off again!

 

[bennor]

I recently reinstall the Asus app and didn't realize I accidentally chose to enable remote access/connection. It's off again!

Yes, its something not many may realize when they install/use the Asus app. They may inadvertently enable the WAN access on the router. Always good to periodically check the router configuration to ensure that various WAN facing options are disabled (assuming one wants them disabled).

Edit to add: And one can use the AiProtection Router Security Assessment scan button to see if certain options are enabled. Even when AiProtection is disabled the Router Security Assessment will still warn you if one of the items on it's check list is enabled.