Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: ASUS Router Backdoors Affect 9,000 Devices, Persists After Firmware
Updates

Link: https://it.slashdot.org/story/25/05/29/205222...

An anonymous reader quotes a report from SC Media: Thousands of ASUS routers
have been compromised with malware-free backdoors in an ongoing campaign to
potentially build a future botnet, GreyNoise reported Wednesday. The threat
actors abuse security vulnerabilities and legitimate router features to
establish persistent access without the use of malware, and these backdoors
survive both reboots and firmware updates, making them difficult to remove.
The attacks, which researchers suspect are conducted by highly sophisticated
threat actors, were first detected by GreyNoise's AI-powered Sift tool in mid-
March and disclosed Thursday after coordination with government officials and
industry partners. Sekoia.io also reported the compromise of thousands of
ASUS routers in their investigation of a broader campaign, dubbed
ViciousTrap, in which edge devices from other brands were also compromised to
create a honeypot network. Sekoia.io found that the ASUS routers were not
used to create honeypots, and that the threat actors gained SSH access using
the same port, TCP/53282, identified by GreyNoise in their report. The
backdoor campaign affects multiple ASUS router models, including the RT-
AC3200, RT-AC3100, GT-AC2900, and Lyra Mini. GreyNoise advises users to
perform a full factory reset and manually reconfigure any potentially
compromised device. To identify a breach, users should check for SSH access
on TCP port 53282 and inspect the authorized_keys file for unauthorized
entries.

Read more of this story at Slashdot.

---
VRSS v2.1.180528