Backdoored ASUS routers #
GreyNoise Intelligence has published a report describing a backdoor campaign affecting ASUS routers. ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Once compromised, these devices are then integrated into advanced persistent threat (APT) networks.
The report indicates that initial access is gained via brute-force login approaches and two previously undisclosed authentication bypass vulnerabilities (as of writing, neither of these vulnerabilities have been assigned CVEs). Once authentication has been bypassed, attackers can leverage known post-authentication vulnerabilities such as CVE-2023-39780 to execute arbitrary commands and install malicious software and arbitrary SSH keys.
Compromised devices appear to be running an SSH server on an unusual port, 53282.
What is the impact? #
Users who see an SSH server running on this unusual port should immediately investigate to ensure it is an expected service and not an indicator of compromise.
Are any updates or workarounds available? #
CVE-2023-39780, the post-authentication vulnerability, has been patched by ASUS, as have the additional authentication bypasses that are not yet assigned CVEs.
However, the backdoor SSH service and keys installed by attackers are not affected by firmware upgrades. Therefore, if there is any suspicion of compromise, the SSH configuration on these routers must be manually reviewed. Users should consider rotating all authentication tokens on these routers (passwords and SSH keys) and clearing affected devices’ NVRAM through a factory reset (contingent on your own incident response procedures).
How do I find potentially compromised routers with runZero? #
From the Service Inventory, use the following query to locate potentially impacted assets:
_asset.protocol:ssh AND protocol:ssh AND port:53282Additionally, runZero customers who are comfortable with command-line tooling can use our open-source SSH attack simulator, SSHamble, to scan suspected hosts for the attacker’s public key:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZJ8L5mzhhaxfGzpHR8Geay/xDlVDSJ8MJwA4RJ7o21KVfRXqFblQH4L6fWIYd1ClQbZ6Kk1uA1r7qx1qEQ2PqdVMhnNdHACvCVz/MPHTVebtkKhEl98MZiMOvUNPtAC9ppzOSi7xz3cSV0n1pG/dj+37pzuZUpm4oGJ3XQR2tUPz5MddupjJq9/gmKH6SJjTrHKSECe5yEDs6c3v6uN4dnFNYA5MPZ52FGbkhzQ5fy4dPNf0peszR28XGkZk9ctORNCGXZZ4bEkGHYut5uvwVK1KZOYJRmmj63drEgdIioFv/x6IcCcKgi2w== rsa 2048-020623An example of this usage would be:
sshamble --pubkey-hunt-file asus-pubkey.txt --checks=pubkey-hunt -p 53282 network/16
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.