Listen to this Post
A Hidden War at the Edge of the Internet
A silent cyberattack is sweeping through thousands of home and office networks as hackers hijack ASUS routers in an unusually stealthy and persistent operation. In a new report released by GreyNoise, a leading cyber intelligence firm, itâs been revealed that nearly 9,000 ASUS routers have been covertly compromised. But what makes this campaign different isnât just the number of affected devicesâitâs the attackers’ ability to gain long-term access without deploying traditional malware.
Instead of leaving behind detectable software or malicious files, these attackers are exploiting legitimate router features to establish backdoors that can survive firmware updates and reboots. This allows them to maintain an invisible grip on infected devices, potentially creating a decentralized army of compromised routers primed for future cyber warfare.
Experts say the campaign bears the hallmarks of an advanced persistent threat (APT)âa type of cyberattack often associated with nation-state actors such as those linked to China. Although no direct attribution has been made, the high-level operational strategy and advanced evasion techniques used suggest the threat actors are well-resourced and extremely capable.
Thousands of ASUS Routers Hijacked in Ongoing Global Attack
GreyNoiseâs investigation, first launched on March 18, detected the malicious activity using its AI-powered tool called SIFT. The tool flagged unusual network payloads attempting to disable TrendMicroâs AiProtection security features embedded in ASUS routers. Researchers soon discovered a widespread infiltration that had already infected nearly 9,000 routers by May 27âand the number is still growing.
Rather than rely on malware, the attackers use a multi-phase strategy:
Initial Access: Hackers brute-force login credentials and use two unnamed zero-day vulnerabilities to bypass authentication.
Exploitation: They then deploy CVE-2023-39780, a command injection vulnerability in the ASUS RT-AX55 model, allowing them to execute system-level commands.
Persistence: The hackers activate SSH on a non-standard port (TCP/53282) and insert their own public key for remote access. These changes are saved in the routerâs non-volatile memory (NVRAM), making them survive even factory firmware updates.
Stealth Mode: To avoid detection, they disable router logs and operate quietly in the background.
Despite ASUS having patched CVE-2023-39780, the attackersâ modifications to SSH settings remain untouched by the update. And since the original zero-days used for access havenât been publicly documented or assigned CVE IDs, users have little guidance on how to protect themselves.
GreyNoise delayed public disclosure to alert authorities and industry stakeholders first. A parallel report by Sekoia, another cybersecurity firm, has dubbed the campaign âViciousTrap.â
GreyNoise’s Mitigation Tips:
Check for SSH activity on TCP/53282.
Inspect the `authorized_keys` file for suspicious entries.
Block IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, 111.90.146.237.
Perform a full factory reset if compromise is suspected.
What Undercode Say:
This ASUS router attack is not your typical botnet campaign. It’s a meticulously executed infiltration that leverages the inherent features of network hardware to sustain a silent occupation. This approach, which avoids dropping any detectable malware, reflects a new standard in cyber espionage. The fact that this campaign can survive firmware upgrades suggests a level of sophistication we usually see in military-grade cyber operations.
The use of zero-day authentication bypasses and stealth command injections points toward a group with deep pockets and insider knowledge. By storing access credentials in non-volatile memory and using custom SSH ports, the attackers ensure long-term access with almost no forensic footprint. This isnât just about spying or IP theftâitâs about building infrastructure for something bigger, possibly a global ORB network ready for coordinated botnet attacks.
The lack of assigned CVEs for the login bypass methods also highlights a worrying gap in the cyber defense ecosystem. It means these vulnerabilities may be unknown to most security professionals and therefore unpatched in the wild. ASUS users are essentially flying blind unless they know exactly what to look for.
Moreover, this campaign once again illustrates the growing trend of targeting edge devicesârouters, cameras, IoT hubsâwhich sit outside the usual security perimeters. As more homes and small businesses rely on these devices, they become the weak link in the cybersecurity chain.
The campaign also demonstrates a growing convergence between espionage and infrastructure manipulation. By taking control of routers, the attackers donât just get dataâthey get positioning. These infected devices can be used for proxying attacks, collecting metadata, launching DDoS strikes, or even manipulating traffic in real time.
This is also a lesson in the importance of outbound traffic monitoring. Most users donât notice when their router is quietly pinging a suspicious IP, especially if the firmware UI offers no real-time insights. Manufacturers like ASUS need to implement better intrusion detection, logging, and real-time alerts.
Lastly, while some mitigation steps are availableâlike factory resets and blocking known IPsâthey’re not scalable for non-technical users. A broader firmware reengineering effort is required to fully flush out these backdoors and prevent similar intrusions in the future.
Fact Checker Results â
GreyNoise and Sekoia both confirmed the compromise independently.
CVE-2023-39780 is verified and officially patched by ASUS.
Attack methods and SSH manipulation confirmed in GreyNoise technical report. đđĄď¸â ď¸
Prediction đŽ
The ASUS router breach is likely just the tip of the iceberg. Similar tactics will soon be replicated across other router brands and IoT platforms. Expect to see more long-dormant botnets awaken in future coordinated attacks, potentially targeting critical infrastructure or large-scale disinformation campaigns. Governments and corporations may soon have to adopt zero-trust policies even at the hardware level.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
