Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,757
6
82,472
8,389
54
The Netherlands
Content source
https://www.bleepingcomputer.com/news/security/botnet-hacks-9-000-plus-asus-routers-to-add-persistent-ssh-backdoor/
Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco, D-Link, and Linksys.

The campaign was discovered by GreyNoise security researchers in mid-March 2025, who reports that it carries the hallmarks of a nation-state threat actor, though no concrete attributions were made.

The threat monitoring firm reports that the attacks combine brute-forcing login credentials, bypassing authentication, and exploiting older vulnerabilities to compromise ASUS routers, including the RT-AC3100, RT-AC3200, and RT-AX55 models.

Specifically, the attackers exploit an old command injection flaw tracked as CVE-2023-39780 to add their own SSH public key and enable the SSH daemon to listen on the non-standard TCP port 53282. This modifications allow the threat actors to retain backdoor access to the device even between reboots and firmware updates.

"Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades," explains another related report by GreyNoise.

"If you've been exploited previously, upgrading your firmware will NOT remove the SSH backdoor."
Click to expand...
If a compromise is suspected, a factory reset is recommended to clean the router beyond doubt and then reconfigure it from scratch using a strong password.
Click to expand...
www.bleepingcomputer.com

Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor

Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco, D-Link, and Linksys.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Wow
  • +Reputation
Reactions: Trident, Mndgs, Brownie2019 and 8 others
"Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades," explains another related report by GreyNoise.

This means even reinstallment of firmware will not remove the infection and the only solution is to get a new router.
 
  • Like
Reactions: Khushal
Parkinsond said:
"Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades," explains another related report by GreyNoise.

This means even reinstallment of firmware will not remove the infection and the only solution is to get a new router.
Click to expand...
Not exactly, it persists across upgrades. But it doesn’t persist across factory resets. Also this isn’t even new. The CVE is from 2023, and the vulnerabilities used to brute force access are old and have been fixed for a while.

RMerlin knows what he’s talking about:
www.snbforums.com

“GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers”

Yet another one, or did we already know about this one? https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
www.snbforums.com www.snbforums.com
 
  • +Reputation
  • Thanks
  • Like
Reactions: Trident, Khushal and Parkinsond
You must log in or register to reply here.

You may also like...