Cybersecurity company GreyNoise reported an advanced and persistent attack infecting thousands of ASUS home and small office routers.
The covert campaign, suspected to be carried out by a nation-state or highly sophisticated threat group, drops a persistent backdoor that remains effective through both firmware updates and reboots.
What's worse is that the typical user can't discover the backdoor.
Unpatched and Unseen ASUS Router Vulnerabilities
As per Greynoise, the attackers first take over the ASUS routers by taking advantage of various vulnerabilities. Some are fixed, others never having been officially recorded in the CVE system. One such confirmed vulnerability, CVE-2023-39780, enables command injection, allowing full system command execution.
After access has been gained, the threat actor drops a public SSH encryption key, allowing future logins through a matching private key with full administrator privileges.
Read more: FBI Warns Users of the Hidden Dangers Behind Free File Converters: You'll Be Fishing Malware Instead
Long-Term Persistence Without Malware
What's so hazardous about this attack is the persistence of the access. GreyNoise says the attacker doesn't drop malware or leave normal indicators of compromise. Instead, they chain exploits, bypass authentication, and change legitimate system settings—surviving through firmware updates and system reboots.
According to Ars Technica, researchers maintain that this method "enables long-lasting control over the routers," enabling the actor to quietly expand their botnet of exploited systems, perhaps for use in an extensive coordinated attack.
ViciousTrap: A Coordinated Campaign with Global Reach
GreyNoise says that this attack is a part of a greater campaign monitored as "ViciousTrap", which was initially used to describe the campaign by cybersecurity company Sekoia.
Web scans carried out by network analytics provider Censys indicate that potentially up to 9,500 ASUS routers have already been exploited.
While the threat actor has yet to engage the network of compromised routers, researchers say this may be the calm before the storm, suggesting potential for future widespread disruption or spy operations.
How to Tell If Your ASUS Router Has Been Compromised
The only means of verification is by manual scanning:
- Access your router's settings page
- Go to the SSH configuration
- Check for suspicious entries on port 53282
- Scan for the malicious SSH key beginning with: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ.
- If it discovers a backdoor, delete the key and switch off the port configuration at once.
Additionally, look for connections from the following IP addresses, associated with the attack:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
To reduce risk, always keep your router's firmware up to date, regardless of brand. Enable automatic updates if available and disable remote access unless absolutely necessary. Change default passwords and consider using a firewall or network monitoring tool to detect unusual activity.
Related Article: Here is the Best Time to Replace WiFi Router, as Experts Recommend
ⓒ 2025 TECHTIMES.com All rights reserved. Do not reproduce without permission.
