Thousands of Asus routers have a security breach; See how to solve

Thousands of Asus domestic and corporate routers are being the target of a cyber attack that installs a Persistent backdooraccording to security researchers. The breach allows invaders to have a total administrative control of the device, even after reset restarts and updates.

The malicious campaign, discovered by Greynoise, began observed in March this year. Experts estimate that about 9,000 routers around the world They have been committed so far, and the number of infected devices continues to grow.

Administrative Access that survives updates

The attacks take advantage of Vulnerabilities already corrected by ASUS, although some of these failures have not even been officially recorded in the CVE international system. After gaining administrative access, the invader adds a SSH PUBLIC KEY to the router, allowing automatic remote connections through a digital certificate.

Greynoise reported that the invasion method uses authentication failures and explores legitimate configuration features without deploying malware that could be easily detected. The company points out that this technique allows long -term control without evident traces.

In a statement, the researchers explain:

The invader’s access survives both restarts and firmware updates, maintaining stable control of the affected devices

Possible involvement of state actors

Although there is still no evidence of direct malicious activity from the committed routers, Greynoise believes the attack is part of an effort to Create a base of vulnerable devices For future uses such as espionage or botnets.

The fact that the company has waited to publicize the findings only after alerting government agencies suggests that the attack may have Origin in groups with state connections. According to Sekoia, another cybersecurity company that also investigated the case, the responsible group was nicknamed ViciousTrap.

How to identify if your router is compromised

Users can check if they were affected by accessing SSH settings in the router management panel.

Committed devices will have the door 53282 qualified for SSH access and will display a public key started with:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…

In addition, access records from specific IPs may indicate the presence of the invader:

• 101.99.91[.]151
• 101.99.94[.]173
• 79.141.163[.]179
• 111.90.146[.]237

How to remove backdoor and protect the router

The immediate recommendation for ASUS router users is to access the settings and manually remove the SSH public key and door redirect. Although Asus has already corrected the failures used by the invaders, the removal of this persistent access does not occur automatically.

To prevent new attempts, it is crucial to keep the router always updated and periodically review the security settings, especially those related to remote access and administrator passwords.

Step 1: Visit the Router Administration Panel

1. Connect your computer to the router network (via cable or Wi-Fi).
2. Open a browser and type http://192.168.1.1 or http://router.asus.com in the address bar. Remembering that this address can change according to your household settings.
3. Enter your username and administrator password. If you have never changed these credentials, the pattern is usually:
   • User: admin
   • Password: admin

Important: If you are unable to access the panel or forgot your credentials, see the Router Manual or the Official website of ASUS for redefinition instructions

Step 2: Check that the SSH service is activated at port 53282

1. In the side menu, click “Administration” And then in the tab “System”.
2. Look for the section “Access to Service” or similar.
3. Check “SSH Access” It is enabled.
4. If it is activated, observe the configured port. If it is 53282this indicates a possible infection

Step 3: Check the presence of malicious SSH key

1. Still in the SSH Settings Section, look for authorized public keys entrances.
2. If you find a key that starts with: Copyreditarssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ... This confirms the presence of the backdoor.

Step 4: Remove the SSH key and disable the service

1. Delete the malicious SSH key identified in the previous step.
2. Disable the SSH service or change the door to a different number of 53282.
3. Save the changes and restart the router.

Step 5: Update the router firmware

1. In the administration panel, go to “Administration” > “Firmware Update”.
2. Click on “To check” To look for available updates.
3. If there is an update, follow the instructions on the screen to install it.

Although the firmware update corrects known vulnerabilities, it does not remove The backdoor if the router is already compromised. Therefore, it is essential to perform the previous steps

Step 6: Consider making a factory reset

If, after following the steps above, you still suspect that the router is compromised, it is recommended to make a factory reset:

1. Press and hold the button reset At the back of the router for about 10 seconds, until the lights blink.
2. Wait for the router to completely restart.
3. Set the router again by setting a new administrator password and adjusting the settings as needed.

Attention: Do not restore backups from previous settings, as they can reintroduce the malicious SSH key

Step 7: Monitore Connections suspicious

Check router logs to identify connections from the following IP addresses associated with attack:

• 101.99.91.151
• 101.99.94.173
• 79.141.163.179
• 111.90.146.23

If you detect activities of these IPs, block them in the router firewall settings.

Also read:

Stay attentive

The discovery of this attack demonstrates the importance of rigorous cybersecurity practices, even in domestic environments. Devices such as routers, often forgotten in the corners of the houses, can become valuable targets for invaders to create silent control or spy networks.

Therefore, keeping firmware up to date and monitoring suspicious activities is the most effective way to reduce risks and protect personal and corporate data.

Fonte: Bleeping Computer