News 9,000 Asus routers compromised by botnet attack and persistent SSH backdoor that even firmware updates can't fix

[Admin]

New botnet campaign exploits legitimate system features to establish deep persistence while remaining virtually undetectable

9,000 Asus routers compromised by botnet attack and persistent SSH backdoor that even firmware updates can't fix : Read more

 

[newtechldtech]

easier solution : use very long complicated password ... brute force will take forever and will fail.

 

[pug_s]

Imagine that if this was a TP-Link router, lol.

 

[Redempshin]

Come on....

The backdoor evades detection

That's just painfully wrong. They attackers turned on SSH on a specific port, created an additional login and turned off security functions. Those are all VERY detectable.

The ACTUAL information from GreyNoise says

router logging is disabled to evade detection.

You could say "the attackers took steps to try and avoid detection".

And then this:

and survives firmware updates

It might be more honest to say "The most recent ASUS firmware does not remove the attackers access to systems"

An ASUS firmware patch (in addition to fixing the original 'undocumented authentication bypass technique') can simply re-disable SSH, nuke any SSH keys, and then turn off/on anything that was part of the deployment package in this attack. Patch notes "if you had previously enabled ssh, added your own SSH keys, enabled remote access, disabled the security features on your router, you'll need to do that again."

 

[das_stig]

Come on....

That's just painfully wrong. They attackers turned on SSH on a specific port, created an additional login and turned off security functions. Those are all VERY detectable.

The ACTUAL information from GreyNoise says

You could say "the attackers took steps to try and avoid detection".

And then this:

It might be more honest to say "The most recent ASUS firmware does not remove the attackers access to systems"

An ASUS firmware patch (in addition to fixing the original 'undocumented authentication bypass technique') can simply re-disable SSH, nuke any SSH keys, and then turn off/on anything that was part of the deployment package in this attack. Patch notes "if you had previously enabled ssh, added your own SSH keys, enabled remote access, disabled the security features on your router, you'll need to do that again."

This is TH that excels in inaccurate scare mongering, that helps makes clicks for TH advertising machine.

TH stops being a reliable news source years ago and now just a minor content platform for advertising !!

 

[Makaveli]

Come on....

That's just painfully wrong. They attackers turned on SSH on a specific port, created an additional login and turned off security functions. Those are all VERY detectable.

The ACTUAL information from GreyNoise says

You could say "the attackers took steps to try and avoid detection".

And then this:

It might be more honest to say "The most recent ASUS firmware does not remove the attackers access to systems"

An ASUS firmware patch (in addition to fixing the original 'undocumented authentication bypass technique') can simply re-disable SSH, nuke any SSH keys, and then turn off/on anything that was part of the deployment package in this attack. Patch notes "if you had previously enabled ssh, added your own SSH keys, enabled remote access, disabled the security features on your router, you'll need to do that again."

Thank you.

I'm running an Asus AX88U Pro but with merlin firmware.

I do have SSH enabled but only for local lan and not for external access which is a security risk. Decided to check active sessions anyways for any activity on TCP 53282 and nothing. So i'm good.

 

[Redempshin]

I do have SSH enabled but only for local lan and not for external access which is a security risk. Decided to check active sessions anyways for any activity on TCP 53282 and nothing. So i'm good.

So....the blog post discusses that its actually very quiet because the bad guy is building an army and waiting. Traffic/open sessions isn't the issue. Scan the interface and see if that port is open.

 

[Redempshin]

This is TH that excels in inaccurate scare mongering, that helps makes clicks for TH advertising machine.

TH stops being a reliable news source years ago and now just a minor content platform for advertising !!

Yeah, I got that vibe, I haven't been here in years and hadn't realized it had gotten so bad.

 

[Makaveli]

So....the blog post discusses that its actually very quiet because the bad guy is building an army and waiting. Traffic/open sessions isn't the issue. Scan the interface and see if that port is open.

should have added I did a port scan also this port is closed.

 

[wakuwaku]

Yeah, I got that vibe, I haven't been here in years and hadn't realized it had gotten so bad.

The main issue with all of this is that despite all these repeated multiple failures, other sites/people that seemingly try to keep their standards up do not realize TH is garbage and keep citing/quoting TH without fact checking TH, making them seem as the "authoritative" source of tech news, even repeating the same errors TH makes.

This in return, probably makes TH staff think they are not doing anything bad/wrong, instead they think the ones in the wrong are their readers. Its a vicious cycle.

 

[bill001g]

This in return, probably makes TH staff think they are not doing anything bad/wrong, instead they think the ones in the wrong are their readers. Its a vicious cycle.

I am not so sure how TH staff is really left. Most article that are actually written by TH employees I don't have many issues with. Some of the testing articles are very impressive.

A massive amount of TH content is written by independent self proclaimed "journalists". AI could do better than some of them, when all they do is summarize articles published someplace else. Then again a huge number of people only read the headline and even if they read the article they will not check to see if the original source of the information really matches the article.

 

[dalek1234]

Accessing ASUS routers' me nu from an External IP, is disabled by default. Unless somebody had a need to enable it (which is not a smart thing to do unless you have some extremely compelling reason to do so), the attacker would have to physically be inside your house. Also, if you enter wrong password too many times, the router will lock you out for a period of time, to prevent brute force attacks. This "waiting" period for the router to unlock itself, would make the exploit take a few thousand years to break in.

Like others said. TH Scaremongering.

 

[truerock]

A new Asus router has "WAN access restrictions" turned ON.

That would mean the 9,000 Asus routers that have been hacked are doing something unusual that 99.9% of retail consumers would not do. The article is total BS.