Massive Router Hack: Thousands of Asus and Cisco Devices Backdoored, Creating Stealthy Botnet
A silent but significant threat is emerging: thousands of Asus and Cisco routers are being compromised by sophisticated attackers, forming what appears to be a stealthy botnet. This isn't just about slow internet; it's a potential gateway for malicious activities, and users need to take immediate action to protect themselves.
Recent reports from GreyNoise and Sekoia reveal two distinct but overlapping campaigns, each exploiting vulnerabilities in popular router models. GreyNoise detected the AyySSHush botnet, targeting over 9,000 Asus routers, while Sekoia identified the ViciousTrap botnet, compromising more than 5,000 Cisco devices. What makes these attacks particularly alarming is their stealth and persistence.
Asus Router Breach: AyySSHush, discovered by GreyNoise in mid-March, appears to be the work of a nation-state actor due to its sophisticated techniques. This botnet leverages vulnerabilities like CVE-2023-39780, a command injection flaw, to inject an SSH public key and enable the SSH daemon on port 53282. This effectively creates a persistent backdoor – even firmware upgrades won't remove it!
"Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades," GreyNoise researchers noted. The attackers are also meticulous in covering their tracks, disabling logging and Trend Micro's AiProtection to avoid detection.
Cisco Router Exploitation: Sekoia's investigation into ViciousTrap reveals the exploitation of CVE-2023-20118, a high-severity vulnerability in older Cisco Small Business routers. This flaw allows remote attackers to execute arbitrary commands, installing a shell script named NetGhost that redirects network traffic to attacker-controlled honeypots.
While the exact goals of these botnets remain unclear, experts speculate they're being built for future malicious activities, potentially including distributed denial of service (DDoS) attacks or proxying malicious traffic. Sekoia observed a malicious script in their observed breaches that redirects network traffic from the compromised system to third-party devices under the attacker's control.
What You Need to Do:
- Asus Users: Check your SSH settings. Infected routers will show a digital certificate with a truncated key. Remove the key and port setting. Also, ensure your router firmware is up-to-date.
- Cisco Users: Unfortunately, Cisco won't be patching the affected devices as they are past their end-of-life date. Consider upgrading to a newer, supported model.
- All Router Users: Block the IP addresses associated with these attacks (101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, 111.90.146[.]237). Change your router's default password to a strong and unique one.
This widespread router compromise highlights the critical importance of router security. Are you confident that your router is protected against these types of attacks? Share your thoughts and experiences in the comments below.
