Asus has issued multiple statements regarding a highly publicized botnet attack infecting over 9,000 routers to date. As per a previous report, the "AyySSHush" botnet has infected its hosts through a mix of brute-force attacks and authentication bypasses, and hides its backdoor in non-volatile memory, thus attempting to hide from firmware updates and refreshes.
In an official statement regarding the insecurity, Asus said that the vulnerabilities can be avoided for those yet uninfected, and fixed for those routers that have been compromised. The hostile agents utilize a known command injection flaw, CVE-2023-39780, to enable SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for remote access.
This exploit has been patched in the latest Asus firmware update, and as such, Asus advises all users of its routers to update their firmware. Asus also advises a factory reset, followed by adding a strong administrator password. For those users with routers that have reached end-of-life support, or those who are tech-savvy enough to open up their router settings and wish to avoid a factory reset, Asus recommends "disabling all remote access features such as SSH, DDNS, AiCloud, or Web Access from WAN, and confirming that the SSH (especially TCP port 53282) is not exposed to the Internet."
Asus also claims to have been working to update firmware on models, including the RT-AX55 router, well before the GreyNoise report went up to protect against this known vulnerability. This is a key detail from the company, as CVE-2023-39780 reporting shows that Asus had been made aware of the vulnerability before the most recent GreyNoise report went out.
What is the AyySSHush botnet
The AyySSHush botnet was first discovered by security firm GreyNoise in March, making its findings public in May, via alerts thrown up by its proprietary AI monitoring technology, Sift. GreyNoise categorizes the attackers responsible for the botnet as "a well-resourced and highly capable adversary", though without making any accusations about who the attackers were.
A Censys search of the affected routers, which at the time of writing numbers above 9,500, can be found here. To date, activity from the botnet has been minimal, with only 30 related requests registered across three months.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
