usatoday24
A new intrusion campaign has put several models of ASUS routers. According to GraynoiseSpecialized in cybersecurity, at least three different devices would be exploited by an actor “highly trained and with sufficient resources.”
Sophisticated threats are usually aimed at very specific objectives, but this campaign has a broader pattern. Researchers have already detected about 9,000 committed devices, and ensure that the number continues to increase. It is believed that the foundations could be laying for a future botnet, Key piece for DDOS attacks.
Persistent access without malware
The attackers get initial access through brute force techniques And the use of evasion strategies that still do not have an identifier Cve. In cybersecurity, a CVE (acronym for common vulnerabilities and exposures) is a standard reference that is used to catalog known vulnerabilities publicly.
{“Videid”: “X801AZU”, “Autoplay”: False, “Title”: “How to protect your Android from viruses and malware: tricks and advice”, “tag”: “”, “duration”: “271”}
After that first step, cybercriminals take advantage of a specific vulnerability already documented, identified as CVE-2023-39780to execute arbitrary commands and modify the router configuration from within.
The objective is not to install a traditional spy virus or software, but something more subtle: open a remote rear door. To do this, they enable SSH access in a specific port (TCP/53282) and insert their own public key into the NVRAM memory, a type of internal storage that It is not erased by restarting the router nor when updating your firmware. In this way, the attacker’s access persists in time, without leaving obvious signs.
The researchers have replicated the attack on several specific models, including the ASUS RT-AC3100, RT-AC3200 and RT-AX55. It is not an official list of committed devices, but a clue to which they could be in the spotlight. At the moment, it is not ruled out that there are other models also exposed.
Greynoise has not officially attributed the campaign to any specific group. However, he points out that the techniques used (the use of legitimate functions of the system, the deactivation of the activity records and the absence of visible malware) are usual characteristics of Very elaborate attacks and long -term planned.
These types of operations are usually linked to the calls APTacronym in English of Advanced Persistant Threat. These are cyber -cyber -acting groups that act with advanced technical means, great discretion and very defined objectives, often related to strategic or governmental interests.
The finding occurred the past March 18thanks to SIFTan analysis tool developed by Greynoise. The publication of the details It was intentionally delayed to facilitate coordination with public agencies and companies in the sector before making it public.
How to know if your router has been committed
Asus has corrected vulnerability CVE-2023-39780 In a recent firmware update. However, if the device was compromised before applying that patch, remote access can remain active.
Greynoise offers a series of steps that can help detect whether a router has been affected, although it is true that some of them They can be complex for those who are not familiar with technical concepts or do not handle with ease in the advanced device configuration. Even so, it is convenient to meet them:
- Access the configuration of your router and verify if the access by SSH is enabled in the TCP/53282 port.
- Check the file called Authorized_Keyssince it could contain an unauthorized public key.
- Block these IP addresses, associated with the campaign: 101.99.91.151, 101.99.94.173, 79.141.163.179 and 111.90.146.237.
- If you suspect that your device is affected, perform a complete factory restoration and configure it manually.
The scale of the attack and its ability to stay hidden reinforce a key lesson: the safety of domestic routers should not be taken for granted. Although in this case malware has not been installed, the attackers They have left an open door.
We have contacted Asus to request comments on this campaign and know if they plan to offer new additional measures or recommendations. This article will be updated if we receive an official response for its part.
(Function () {Window._js_modules = Window._js_modules || {}; var headelement = document.getelegsbytagname (‘head’) (0); if (_js_modules.instagram) {var instagramscript = Document.Createlement (‘script’); }}) ();
It was originally posted in
Xataka
by
Javier Marquez
.
GIPHY App Key not set. Please check settings