A critical flaw in ASUS routers: thousands of devices compromised in a stealth campaign

|

|

Since March 2025, a highly covert hacking campaign has been targeting ASUS routers exposed to the Internet. The cybersecurity firm GreyNoise recently revealed that thousands of these devices had been infected without leaving any visible traces. The level of sophistication of the attacks suggests a highly experienced group, possibly even a state-sponsored one. The goal appears to be…



Since March 2025, a very discreet hacking campaign has been targeting ASUS routers exposed on the Internet. The cybersecurity company GreyNoise recently revealed that thousands of these devices had been infected without leaving any visible traces. The level of sophistication of the attacks suggests a highly experienced, even state-run group. The aim appears to be classic: to build up a botnet.

🛡️ When it comes to websites, don't forget the importance of hosting your web services with a secure host, like LRob, which protects your data far beyond the basic infrastructure.


In a nutshell: what you need to know

  • Nearly 9,000 ASUS routers are now compromised.
  • The attack allows persistent access, even after reboot or firmware update.
  • No malware is used: official router functions are bypassed.
  • The aim: to create a botnet, or phantom network machines under control, potentially for future attacks.
  • The vulnerabilities used combine brute-force, authentication bypass and control injection.
  • ASUS has published a partial correction, but routers that have already been compromised remain vulnerable.

1. How the pirates took control

GreyNoise researchers have identified several methods used to gain initial access to routers:

  • Brute force login attempts, using simple or default identifiers.
  • Two authentication flaws undocumented (no CVE).
  • Exploiting a known vulnerability : CVE-2023-39780, which allows system commands to be executed on the router.

2. Long-lasting, silent access

Once inside, the pirates leave nothing to chance. no malware. They activate access SSH on an unusual port (TCP/53282), then insert their own SSH public key, which gives them unlimited remote access.

These changes are saved in the non-volatile memory (NVRAM) router - they survive reboots and firmware updates.

The pirates' probable aim: to build up a botnet of routers, i.e. a set of devices available to carry out various subsequent attacks.


3. A campaign designed to go unnoticed

One of the strengths of this operation is its extreme discretion :

  • Visit system logs are disabled, preventing any local trace.
  • Modifications are made via official ASUS interfaces, which makes them even more difficult to detect.
  • Only 30 suspicious requests detected in 3 months by GreyNoise.

4. What should I do if I'm using an ASUS router?

GreyNoise recommends several immediate actions:

  1. Check for SSH access on the port 53282.
  2. Check authorized SSH keys on your router (file authorized_keys).
  3. Block IP addresses below:
    • 101.99.91.151
    • 101.99.94.173
    • 79.141.163.179
    • 111.90.146.237
  4. If in doubt : reset router to factory settings, then reconfigure it manually.

5. Has ASUS corrected the flaw?

Yes, ASUS has released a firmware update to correct CVE-2023-39780 and other unlisted flaws. However, we, devices already compromised remain vulnerable if the malicious SSH configuration is not deleted manually.


An important reminder about infrastructure safety

This attack shows the extent to which connected devices can become invisible entrance doors for large-scale piracy campaigns.

At LRob, high-security web host, We believe that security should never be an option. Our infrastructures are monitored 24/7, segmented, hardened, and our customers benefit from multiple layers of defense for avoid this type of compromise.


Sources

Full analysis on the GreyNoise website :
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers

GreyNoise technical study:
https://www.labs.greynoise.io/grimoire/2025-03-28-ayysshush/

Categories

Web hosting

Succeed on the web

Safety, performance, simplicity.
The best tools to serve you.

Nextcloud hosting

Nextcloud

The best free collaborative suite

Maintenance included

Webmaster and WordPress Specialist

WordPress Website Management

Webmaster WordPress specialist in Orleans

Entrust your site to a WordPress security and maintenance expert

Repairing Hacked WordPress Sites

angry-hacker-pirate

Has your WordPress site been hacked?

Repair and long-term security for your WordPress site.