Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

9,000 Asus routers compromised by botnet attack and persistent SSH backdoor that even firmware updates can’t fix

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted

This is the hidden content, please

9,000 Asus routers compromised by botnet attack and persistent SSH ********* that even firmware updates can’t fix

fUuda4qjChtLWwbQNtyfP5.jpg

Thousands of Asus routers have been compromised due to a newly discovered botnet called ‘AyySSHush.’ The stealth attack was detected in March 2025 by cybersecurity firm GreyNoise, which

This is the hidden content, please
exploits authentication and makes use of the router features to maintain long-term access. Notably, the ********* does not make use of any malware, and the unauthorized access cannot be removed using firmware updates.

The attack begins with threat actors targeting the routers through brute-force login attempts and exploiting authentication bypass techniques, some of which remain undocumented without assigned CVEs. Once inside, they target and exploit

This is the hidden content, please
, a known command injection vulnerability, to execute arbitrary system-level commands. This technique allows the attackers to manipulate the router’s configuration using legitimate functions within the firmware.

The attackers use official Asus router features to gain persistent access. They also gain the ability to enable SSH on a non-standard port (TCP 53282) and install their own public SSH key, enabling remote administrative control. Since the ********* is written to the router’s non-volatile memory (NVRAM), it can survive both firmware updates and device reboots. Additionally, by disabling system logging and the router’s AiProtection security features, the attackers ensure that they cannot be detected.


You may like

According to GreyNoise’s report, the techniques used by the attackers suggest thorough planning for long-term access and demonstrate a deep knowledge of the system’s architecture. Over 9,000 Asus routers have been confirmed as compromised, according to data from Censys, a platform that monitors and maps internet-facing devices globally. Censys identifies devices that are exposed to the internet, while GreyNoise detects which of those devices are being actively targeted or exploited. This offers a clearer picture of both the scale and stealth of the ongoing campaign.

The discovery of the exploit was made using GreyNoise’s AI-powered analysis tool called ‘Sift.’ It flagged just three HTTP POST requests targeting Asus router endpoints for deeper inspection, which were then observed using emulated Asus profiles running factory firmware. Surprisingly, Sift detected only 30 malicious requests over a ******* of three months, despite compromising thousands of devices.

Asus has released a new firmware update addressing CVE-2023-39780, as well as the initial undocumented login bypass techniques. However, the update is more or less a preventive measure. Any router that has been exploited previously, upgrading the firmware is not going to remove the SSH *********. This is because the malicious configuration changes are stored in non-volatile memory and are not overwritten during standard firmware upgrades.

To ensure routers are fully secured, users are advised to take additional manual steps, including checking for active SSH access on TCP port 53282, reviewing the authorized_keys file for unfamiliar entries, and blocking the known malicious IP addresses that may be associated with the campaign. If a device is suspected to be compromised, it is best to perform a full factory reset and then reconfigure the router from the beginning.

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.

Follow

This is the hidden content, please
to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.



This is the hidden content, please

#Asus #routers #compromised #botnet #attack #persistent #SSH #********* #firmware #updates #fix

This is the hidden content, please

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept