{"id":7383,"date":"2025-06-02T12:51:06","date_gmt":"2025-06-02T10:51:06","guid":{"rendered":"https:\/\/www.lrob.fr\/?p=7383"},"modified":"2025-06-02T12:51:07","modified_gmt":"2025-06-02T10:51:07","slug":"critical-vulnerability-in-asus-routers-thousands-of-devices-compromised-in-stealth-campaign","status":"publish","type":"post","link":"https:\/\/www.lrob.fr\/en\/blog\/securite\/une-faille-critique-sur-les-routeurs-asus-des-milliers-de-dispositifs-compromis-dans-une-campagne-furtive\/","title":{"rendered":"A critical flaw in ASUS routers: thousands of devices compromised in a stealth campaign"},"content":{"rendered":"<p class=\"wp-block-paragraph\">Since March 2025, a very discreet hacking campaign has been targeting ASUS routers exposed on the Internet. The cybersecurity company <strong>GreyNoise<\/strong> recently revealed that thousands of these devices had been infected without leaving any visible traces. The level of sophistication of the attacks suggests a highly experienced, even state-run group. The aim appears to be classic: to build up a <strong>botnet<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udee1\ufe0f When it comes to websites, don't forget the importance of hosting your web services with a <a href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\"><strong>secure host<\/strong>like LRob<\/a>which protects your data far beyond the basic infrastructure.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Contents<\/h2><nav><ul><li><a href=\"#en-resume-ce-quil-faut-savoir\">In a nutshell: what you need to know<\/a><\/li><li><a href=\"#1-comment-les-pirates-ont-pris-le-controle\">1. How the pirates took control<\/a><\/li><li><a href=\"#2-un-acces-durable-et-silencieux\">2. Long-lasting, silent access<\/a><\/li><li><a href=\"#3-une-campagne-concue-pour-passer-inapercue\">3. A campaign designed to go unnoticed<\/a><\/li><li><a href=\"#4-que-faire-si-vous-utilisez-un-routeur-asus\">4. What should I do if I'm using an ASUS router?<\/a><\/li><li><a href=\"#5-asus-a-t-il-corrige-la-faille\">5. Has ASUS corrected the flaw?<\/a><\/li><li><a href=\"#un-rappel-important-sur-la-securite-des-infrastructures\">An important reminder about infrastructure safety<\/a><\/li><li><a href=\"#pour-aller-plus-loin\">Sources<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"en-resume-ce-quil-faut-savoir\">In a nutshell: what you need to know<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nearly <strong>9,000 ASUS routers<\/strong> are now compromised.<\/li>\n\n\n\n<li>The attack allows <strong>persistent access<\/strong>even after reboot or firmware update.<\/li>\n\n\n\n<li>No malware is used: official router functions are bypassed.<\/li>\n\n\n\n<li>The aim: to create a <strong>botnet, or phantom network<\/strong> machines under control, potentially for future attacks.<\/li>\n\n\n\n<li>The vulnerabilities used combine <strong>brute-force<\/strong>, <strong>authentication bypass<\/strong> and <strong>control injection<\/strong>.<\/li>\n\n\n\n<li>ASUS has published a <strong>partial correction<\/strong>but routers that have already been compromised remain vulnerable.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"1-comment-les-pirates-ont-pris-le-controle\">1. How the pirates took control<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">GreyNoise researchers have identified several methods used to gain initial access to routers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Brute force login attempts<\/strong>using simple or default identifiers.<\/li>\n\n\n\n<li><strong>Two authentication flaws<\/strong> undocumented (no CVE).<\/li>\n\n\n\n<li>Exploiting a known vulnerability : <strong>CVE-2023-39780<\/strong>which allows system commands to be executed on the router.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"2-un-acces-durable-et-silencieux\">2. Long-lasting, silent access<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Once inside, the pirates leave nothing to chance. <strong>no malware<\/strong>. They activate access <strong>SSH<\/strong> on an unusual port (<code>TCP\/53282<\/code>), then insert their own <strong>SSH public key<\/strong>which gives them unlimited remote access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These changes are saved in the <strong>non-volatile memory (NVRAM)<\/strong> from the router - they <strong>survive reboots and firmware updates<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The pirates' probable aim: to build up a <strong>botnet<\/strong> of routers, i.e. a set of devices available to carry out various subsequent attacks.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"3-une-campagne-concue-pour-passer-inapercue\">3. A campaign designed to go unnoticed<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">One of the strengths of this operation is its <strong>extreme discretion<\/strong> :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Visit <strong>system logs are disabled<\/strong>preventing any local trace.<\/li>\n\n\n\n<li>Modifications are made via <strong>official ASUS interfaces<\/strong>which makes them even more difficult to detect.<\/li>\n\n\n\n<li>Only <strong>30 suspicious requests<\/strong> detected in 3 months by GreyNoise.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"4-que-faire-si-vous-utilisez-un-routeur-asus\">4. What should I do if I'm using an ASUS router?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">GreyNoise recommends several immediate actions:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Check for SSH access<\/strong> on the port <code>53282<\/code>.<\/li>\n\n\n\n<li><strong>Check authorized SSH keys<\/strong> on your router (file <code>authorized_keys<\/code>).<\/li>\n\n\n\n<li><strong>Block IP addresses<\/strong> below:\n<ul class=\"wp-block-list\">\n<li><code>101.99.91.151<\/code><\/li>\n\n\n\n<li><code>101.99.94.173<\/code><\/li>\n\n\n\n<li><code>79.141.163.179<\/code><\/li>\n\n\n\n<li><code>111.90.146.237<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If in doubt : <strong>reset router to factory settings<\/strong>then reconfigure it manually.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"5-asus-a-t-il-corrige-la-faille\">5. Has ASUS corrected the flaw?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Yes, <strong>ASUS has released a firmware update<\/strong> to correct CVE-2023-39780 and other unlisted flaws. However, we <strong>devices already compromised remain vulnerable<\/strong> if the malicious SSH configuration is not deleted manually.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"un-rappel-important-sur-la-securite-des-infrastructures\">An important reminder about infrastructure safety<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This attack shows the extent to which connected devices can become <strong>invisible entrance doors<\/strong> for large-scale piracy campaigns.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At <strong><a class=\"\" href=\"https:\/\/www.lrob.fr\/en\/features\/secure-web-host-cybersecurity\/\">LRob, high-security web host<\/a><\/strong>We believe that security should never be an option. Our infrastructures are monitored 24\/7, segmented, hardened, and our customers benefit from multiple layers of defense for <strong>avoid this type of compromise<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"pour-aller-plus-loin\">Sources<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Full analysis on the GreyNoise website :<br><a class=\"\" href=\"https:\/\/www.greynoise.io\/blog\/stealthy-backdoor-campaign-affecting-asus-routers\" target=\"_blank\" rel=\"noopener\">https:\/\/www.greynoise.io\/blog\/stealthy-backdoor-campaign-affecting-asus-routers<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">GreyNoise technical study:<br><a href=\"https:\/\/www.labs.greynoise.io\/grimoire\/2025-03-28-ayysshush\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.labs.greynoise.io\/grimoire\/2025-03-28-ayysshush\/<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Depuis mars 2025, une campagne de piratage tr\u00e8s discr\u00e8te vise les routeurs ASUS expos\u00e9s sur Internet. L\u2019entreprise de cybers\u00e9curit\u00e9 GreyNoise a r\u00e9cemment r\u00e9v\u00e9l\u00e9 que des milliers de ces appareils avaient \u00e9t\u00e9 infect\u00e9s sans laisser de traces visibles. Le niveau de sophistication des attaques laisse penser \u00e0 un groupe tr\u00e8s exp\u00e9riment\u00e9, voire \u00e9tatique. Le but semble [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7384,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[],"class_list":["post-7383","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securite"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=7383"}],"version-history":[{"count":2,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7383\/revisions"}],"predecessor-version":[{"id":7404,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7383\/revisions\/7404"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/7384"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=7383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/categories?post=7383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/tags?post=7383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}