Security researchers at GreyNoise have spotted a new botnet seeking to fly under the radar, AyySSHus. The virus has managed to compromise more than 9,000 Asus routers. As part of an ongoing "exploitation campaign", hackers have been able to gain "unauthorized and persistent access" to thousands of devices.
According to the GreyNoise report, all of these devices were compromised with the aim of setting up "a future botnet", or a network of zombie routers. It is unclear what purpose this growing future botnet will serve. However, a malicious script was downloaded and executed on one of the compromised devices. This script was injected with the aim of redirecting network traffic to devices that the hacker remotely controls. Persistent access to compromised routers. To achieve their goals, cybercriminals rely on brute force attacks, which consist of testing a multitude of login credentials until they find the correct one, and several old vulnerabilities. In particular, the hackers exploit a command injection flaw affecting several Asus router models, including the RT-AX55. This vulnerability allows a cybercriminal to force the router to execute instructions that it is not supposed to accept. They can then install the backdoor, which gives them persistent access to the device. Even if the router is rebooted or the software is updated, the hacker retains control of the router. Indeed, it is hidden in the router's NVRAM (Non-Volatile Random Access Memory), which protects it from software updates. The attacker "maintains long-term access without using malware or leaving obvious traces.".
According to GreyNoise experts, the attacks orchestrated by AyySSHus are linked to recent discoveries by researchers at Sekoia. The French researchers have identified a large-scale campaign targeting Asus routers in particular. Referred to as "ViciousTrap," the operation also targets Asus routers and exploits the same security flaw. Hackers are also targeting other devices, such as BMCs (Baseboard Management Controllers) from D-Link, Linksys, QNAP, and Araknis Networks, or routers from Soho.
What to do if hacked?
Good news, Asus has fixed the vulnerability exploited by hackers. The manufacturer has deployed a patch to all affected ASUS RT-AX55 models. We strongly recommend that all users update their routers as soon as possible.
Next, check if TCP port 53282 is open. This port can be used for an SSH connection, which allows remote control of the device. If you have never enabled this feature, someone else may have done so without your consent. Take a look at the authorized_keys file, which contains the list of keys authorized for SSH connections. If an unknown key appears in this file, it means that remote access has been added without your consent.
If you suspect your router has been hacked, you will need to perform a factory reset. Installing the patch alone will not get rid of the backdoor. Then manually reconfigure the device. Finally, GreyNoise advises blocking IP addresses linked to the botnet, namely 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, 111.90.146[.]237.
Source: Greynoise
0 Comments