ASUS router users warned: global hacking exploit detected requires factory reset

GreyNoise, a threat monitoring company, has discovered a botnet named AyySSHush. According to Censys search, there are more than 8,000 infected hosts, and thousands of these are ASUS routers.

2

The group behind the botnet is currently unknown, but according to GreyNoise's VP of data science, Bob Rudis, the movements and sophistication of the group suggest they are an "advanced, well-resourced adversary." They started with generic brute-force attacks, but have also incorporated an interesting security bypass to gain access to ASUS routers. The botnet locates ASUS routers and exploits various known bypass bugs to gain initial access to the router, then executes additional authentication bypass techniques to break into routers more effectively.

Once the hackers have cracked the router, they enable SSH, a remote command tool, and their own public key to the router, giving them secret, ongoing access, and begin disabling security tools. What's concerning is that they are able to do all of this using ASUS's own router settings, meaning the changes they have made will survive firmware updates and leave no malware trace, making this form of exploitation extremely difficult to detect.

"Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades," GreyNoise's report said. "If you've been exploited previously, upgrading your firmware will not remove the SSH backdoor."

"Because it's configured through official ASUS settings, the backdoor persists in NVRAM (persistent memory) even after patching. No malware dropped, logging disabled = nearly invisible," Rudis added

Models Affected

• RT-AC3100
• RT-AC3200
• RT-AX55 (still widely used)

Notably, ASUS has provided a fix in a recent firmware update, but if you suspect your device has been compromised, it's worth simply factory resetting your device and setting a strong password, as the firmware update won't disable remote access.