Since March 2025, a very discreet hacking campaign has been targeting ASUS routers exposed on the Internet. The cybersecurity company GreyNoise recently revealed that thousands of these devices had been infected without leaving any visible traces. The level of sophistication of the attacks suggests a highly experienced, even state-run group. The aim appears to be classic: to build up a botnet.
🛡️ When it comes to websites, don't forget the importance of hosting your web services with a secure hostlike LRobwhich protects your data far beyond the basic infrastructure.
Contents
In a nutshell: what you need to know
- Nearly 9,000 ASUS routers are now compromised.
- The attack allows persistent accesseven after reboot or firmware update.
- No malware is used: official router functions are bypassed.
- The aim: to create a botnet, or phantom network machines under control, potentially for future attacks.
- The vulnerabilities used combine brute-force, authentication bypass and control injection.
- ASUS has published a partial correctionbut routers that have already been compromised remain vulnerable.
1. How the pirates took control
GreyNoise researchers have identified several methods used to gain initial access to routers:
- Brute force login attemptsusing simple or default identifiers.
- Two authentication flaws undocumented (no CVE).
- Exploiting a known vulnerability : CVE-2023-39780which allows system commands to be executed on the router.
2. Long-lasting, silent access
Once inside, the pirates leave nothing to chance. no malware. They activate access SSH on an unusual port (TCP/53282), then insert their own SSH public keywhich gives them unlimited remote access.
These changes are saved in the non-volatile memory (NVRAM) from the router - they survive reboots and firmware updates.
The pirates' probable aim: to build up a botnet of routers, i.e. a set of devices available to carry out various subsequent attacks.
3. A campaign designed to go unnoticed
One of the strengths of this operation is its extreme discretion :
- Visit system logs are disabledpreventing any local trace.
- Modifications are made via official ASUS interfaceswhich makes them even more difficult to detect.
- Only 30 suspicious requests detected in 3 months by GreyNoise.
4. What should I do if I'm using an ASUS router?
GreyNoise recommends several immediate actions:
- Check for SSH access on the port
53282. - Check authorized SSH keys on your router (file
authorized_keys). - Block IP addresses below:
101.99.91.151101.99.94.17379.141.163.179111.90.146.237
- If in doubt : reset router to factory settingsthen reconfigure it manually.
5. Has ASUS corrected the flaw?
Yes, ASUS has released a firmware update to correct CVE-2023-39780 and other unlisted flaws. However, we devices already compromised remain vulnerable if the malicious SSH configuration is not deleted manually.
An important reminder about infrastructure safety
This attack shows the extent to which connected devices can become invisible entrance doors for large-scale piracy campaigns.
At LRob, high-security web hostWe believe that security should never be an option. Our infrastructures are monitored 24/7, segmented, hardened, and our customers benefit from multiple layers of defense for avoid this type of compromise.
Sources
Full analysis on the GreyNoise website :
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
GreyNoise technical study:
https://www.labs.greynoise.io/grimoire/2025-03-28-ayysshush/
Leave a Reply