GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

SUMMARY :

A sophisticated campaign targeting ASUS routers has been uncovered, compromising thousands of devices. The attackers employ brute-force attempts, authentication bypasses, and exploit CVE-2023-39780 to gain initial access. They establish persistence by enabling SSH access on a custom port and inserting their public key, storing configurations in NVRAM to survive reboots and firmware updates. The operation is characterized by its stealth, disabling logging and avoiding malware installation. The tactics suggest a well-resourced adversary, possibly an APT group. Nearly 9,000 routers are confirmed affected, with numbers growing. The campaign's discovery was facilitated by AI-powered analysis and emulated router profiles, highlighting the attackers' high level of sophistication and long-term planning.

OPENCTI LABELS :

apt,backdoor,botnet,authentication bypass,persistence,ssh,stealth,asus routers,cve-2023-39780,nvram


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers