Shop & Support

LRob.fr

A critical flaw in ASUS routers: thousands of devices compromised in a stealth campaign

Written by

LRob

in

Since March 2025, a very discreet hacking campaign has been targeting ASUS routers exposed on the Internet. The cybersecurity company GreyNoise recently revealed that thousands of these devices had been infected without leaving any visible traces. The level of sophistication of the attacks suggests a highly experienced, even state-run, group. The aim appears to be classic: to build up a botnet.

🛡️ When it comes to websites, don't forget how important it is to host your web services on a secure host, like LRob, which protects your data well beyond the basic infrastructure.

In a nutshell: what you need to know

  • Nearly 9,000 ASUS routers are now in jeopardy.
  • The attack allows a persistent access, even after a reboot or firmware update.
  • No malware is used: the routers' official functions are bypassed.
  • The aim is to create a botnet, or phantom network machines under control, potentially for future attacks.
  • The vulnerabilities used combine brute-force, authentication bypass and control injection.
  • ASUS has published a partial patch, However, routers that have already been compromised remain vulnerable.

1. How the pirates took control

GreyNoise researchers have identified several methods used to gain initial access to routers:

  • Brute force connection attempts, using simple or default identifiers.
  • Two authentication flaws undocumented (no CVE).
  • Exploiting a known vulnerability : CVE-2023-39780, which allows system commands to be executed on the router.

2. Long-lasting, silent access

Once inside, the pirates leave nothing to chance. no malware. They activate access SSH on an unusual port (TCP/53282), then insert their own SSH public key, which gives them unlimited remote access.

These changes are recorded in the non-volatile memory (NVRAM) of the router - they survive reboots and firmware updates.

The pirates' probable aim: to build up a botnet routers, i.e. a set of devices available to carry out various subsequent attacks.

3. A campaign designed to go unnoticed

One of the strengths of this operation is its extreme discretion :

  • The system logs are deactivated, preventing any local trace.
  • Changes are made via official ASUS interfaces, which makes them even more difficult to detect.
  • Only 30 suspicious requests detected in 3 months by GreyNoise.

4. What should I do if I use an ASUS router?

GreyNoise recommends several immediate actions:

  1. Check for SSH access on the port 53282.
  2. Check the authorised SSH keys file on your router ( authorized_keys).
  3. Block IP addresses following :
    • 101.99.91.151
    • 101.99.94.173
    • 79.141.163.179
    • 111.90.146.237
  4. If in doubt: reset the router to factory settings, then reconfigure it manually.

5. Has ASUS corrected the flaw?

Yes, ASUS has released a firmware update to correct CVE-2023-39780 and other unlisted vulnerabilities. However, the, devices that have already been compromised remain vulnerable if the malicious SSH configuration is not deleted manually.

An important reminder about infrastructure safety

This attack shows the extent to which connected devices can become invisible entrance doors for large-scale piracy campaigns.

At LRob, high-security web host, Our starting point is that security should never be an option. Our infrastructures are monitored 24/7, segmented and hardened, and our customers benefit from multiple layers of defence for avoid this type of compromise.

Sources

Full analysis on the GreyNoise website :
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers

GreyNoise technical study :
https://www.labs.greynoise.io/grimoire/2025-03-28-ayysshush/

Comments

Leave a Reply

More posts