GreyNoise has discovered a sophisticated campaign exploiting ASUS routers exposed to the internet,using CVE-2023-39780 (command injection vulnerability). This operation is not just a one-off attack, but part of a broader effort to construct a distributed network of compromised devices, likely intended for future botnet operations.
The attackers behind this campaign are not your average opportunists. Their tactics reflect a high level of operational maturity and an in-depth understanding of system internals. The use of built-in features for persistence, the avoidance of traditional malware, and the ability to maintain control across reboots and firmware upgrades are hallmarks of advanced persistent threat (APT) actors and operational relay box (ORB) networks.
Once compromised, the ASUS routers become long-term assets in the attacker’s infrastructure offering remote access without raising any immediate alarms.
How ASUS Routers Exploitation Unfolded
The initial phase of the campaign involved widespread brute-force login attempts targeting login.cgi, a common point of entry on many ASUS routers. These were followed by more precise attacks exploiting older authentication bypass vulnerabilities, some of which remain undocumented or unassigned to specific CVEs.
Once inside, attackers deployed a payload that exploited CVE-2023-39780, a command injection vulnerability. This was used to create a seemingly harmless empty file at /tmp/BWSQL_LOG. However, this file serves a hidden purpose: it activates BWDPI (Bidirectional Web Data Packet Inspection), a security feature powered by TrendMicro, embedded in many ASUS routers.
This step is critical as it allows the attackers to interact with system features typically reserved for trusted processes.
What sets this campaign apart is the strategic use of official ASUS configuration settings to enable persistence. The attackers:
- Enable remote SSH access on a non-standard port (TCP/53282).
- Insert a public SSH key under their control into the router’s keyring.
- Store these settings in non-volatile memory (NVRAM), ensuring that even after firmware upgrades or reboots, access is retained.
Since these backdoor configurations are stored using legitimate methods, no malware is dropped, and the router’s logging features are disabled and making the compromise extremely hard to detect.
Impact
Thousands of ASUS routers are confirmed to be affected, with the number steadily increasing. GreyNoise has observed that in many cases:
- Attackers are exploiting the command injection flaw (CVE-2023-39780) to execute arbitrary system commands.
- The techniques used reflect a deep understanding of the router firmware and are designed for long-term operational control.
- Traditional security tools may miss this intrusion entirely due to the absence of obvious indicators such as malware or external binaries.
What This Means
This campaign illustrates a worrying trend: attackers no longer need to rely on traditional malware to maintain access. By exploiting trusted system features and carefully avoiding detection, they can silently build out resilient infrastructure capable of supporting future DDoS attacks.
Organizations and individuals using ASUS routers that are exposed to the internet should review device configurations, restrict remote access, and apply all available firmware updates.
However, given the nature of this attack, remediation may require more than just patching: a full factory reset and manual inspection of SSH settings and keyrings may be necessary to fully evict the intruders.
Source:hxxps[://]www[.]labs[.]greynoise[.]io/grimoire/2025-03-28-ayysshush/?_ga=2.141837367.462115162.1748503683-361190758.1748503683
Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
