The IT Nerd

 Security firm GreyNoise has reported that thousands of ASUS routers are being hit with a stealthy backdoor that can survive reboots and firmware updates. Making it really, really dangerous.

Here’s what you need to know via GreyNoise:

• Thousands of ASUS routers are confirmed compromised, with the number steadily increasing. 
• Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs. 
• Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
• They use legitimate ASUS features to:
  • Enable SSH access on a custom port (TCP/53282).
  • Insert attacker-controlled public key for remote access.
• The backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots. 
• No malware is installed, and router logging is disabled to evade detection. 
• The techniques used reflect long-term access planning and a high level of system knowledge. 

Besides all of that, there’s this little tidbit from GreyNoise:

Disclosure deferred as we coordinated the findings with government and industry partners.   

That implies but does not confirm that this is a nation state behind this attack. That isn’t good.

So how do you protect yourself? You need to check to see if you’re infected if you’re an ASUS user. GreyNoise recommends the following:

• Check ASUS routers for SSH access on TCP/53282. 
• Review the authorized_keys file for unauthorized entries.
• Block access to these four IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, 111.90.146.237
• If compromise is suspected, perform a full factory reset and reconfigure manually.

Personally, if you’re the least bit paranoid, or you discover that you’ve been pwned, I would just factory reset the router and reconfigure it manually. Also, I will note that ASUS has patched a lot of the vulnerabilities that these threat actors are using. Thus if you haven’t applied the latest firmware updates to your ASUS router, you should. But my advice would be to do that AFTER you confirm that you haven’t been pwned.

UPDATE: Wade Ellery, Field CTO, Radiant Logic had this comment:

“This is a textbook example of why identity observability and infrastructure hygiene need to converge. Even something as mundane as a router becomes a strategic asset once it gains long-term identity in a threat actor’s infrastructure. Organizations must treat devices as identities—tracked, verified, and assessed for risk just like users. Observability tools that focus solely on app layers or human actors will miss campaigns like this. Real-time identity-aware telemetry across all assets, including IoT and edge devices, is essential for reducing dwell time and ensuring true Zero Trust enforcement.”

Debbie Gordon, CEO and Founder, Cloud Range adds this:

“This campaign highlights a dangerous shift in attacker strategy—from quick hits to long-haul persistence. AyySSHush’s ability to survive factory resets and firmware updates is a wake-up call: edge devices like routers are no longer low-value targets. In our cyber training environments, we stress layered response—not just patching, but validating assumptions about device integrity and persistence. Too often, routers are treated as ‘set-and-forget’ systems. That mindset is outdated and risky. These devices are now prime footholds for stealthy, scalable attacks.”

This entry was posted on May 29, 2025 at 9:45 am and is filed under Commentary with tags Asus. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.