Listen to this Post
In a concerning security discovery, GreyNoise, a prominent threat intelligence firm, uncovered a stealthy and persistent cyberattack campaign targeting ASUS routers. The attack, dubbed the “AyySSHush” botnet, has successfully compromised over 9,000 ASUS routers, exploiting vulnerabilities and bypassing security features to install an SSH backdoor, ensuring long-term unauthorized access. Here’s an in-depth look at the campaign, its implications, and expert analysis on the ongoing threat.
the Attack
GreyNoise’s AI-powered network traffic analysis tool, SIFT, revealed the operation of the AyySSHush botnet in a campaign that began on March 18, 2025. This campaign saw cybercriminals exploiting various ASUS router models, including the RT-AC3100, RT-AC3200, and RT-AX55, to insert a persistent backdoor. The attackers leveraged subtle techniques, bypassing authentication and exploiting legitimate router settings to avoid detection.
The primary goal of the campaign was to gain persistent access to routers exposed to the internet, surviving reboots and firmware updates. Infected routers were manipulated to run specific payloads that added attacker-controlled SSH keys, opening port 53282 and allowing remote access. The backdoor was durable enough that a simple firmware update wouldn’t remove the malicious code, making the attack particularly effective. By exploiting vulnerabilities like the CVE-2023-39780 command injection flaw, the attackers were able to execute arbitrary commands and maintain control over compromised devices.
As of May 27, nearly 9,000 ASUS routers were confirmed as compromised, according to Censys data. Despite the scale of the attack, the campaign’s stealthy nature is evident, with only 30 requests related to the botnet observed in a three-month span. GreyNoise has published Indicators of Compromise (IOCs), including four IP addresses associated with the botnet’s infrastructure, which could aid in identifying affected devices.
What Undercode Say:
The AyySSHush botnet’s stealthiness highlights a concerning trend in modern cyberattacks: the increasing sophistication and persistence of botnet campaigns. Attackers are not just exploiting flaws but are also utilizing built-in features of devices like ASUS routers to blend in and avoid detection, which is a worrying development for network security.
The use of legitimate settings to install a backdoor, coupled with the exploitation of vulnerabilities such as CVE-2023-39780, showcases an evolving tactic where traditional defense mechanisms like firewall protection and firmware updates may no longer be sufficient. This poses a significant challenge to device manufacturers and users alike, as it becomes clear that an attacker’s access to a system can endure beyond typical remediation methods.
Furthermore, the targeting of internet-exposed routers emphasizes the importance of securing devices at the network’s edge. Many users are unaware of the risks associated with default configurations on their routers, making them easy targets for cybercriminals. In this case, devices with default settings were specifically targeted, pointing to the need for more stringent security practices in both home and business environments.
The discovery that only a handful of requests were observed over a span of three months indicates that the botnet operators are taking great care to remain undetected. This adds another layer of complexity for security professionals trying to track down and mitigate such attacks.
The fact that firmware upgrades do not remove the backdoor further complicates the recovery process. Users who believe that simply updating their router’s firmware would eliminate the threat could be in for a rude awakening, as the backdoor remains firmly in place.
The AyySSHush botnet is also a wake-up call for all industries to invest in proactive threat intelligence and network traffic analysis. GreyNoise’s use of AI tools like SIFT to detect anomalous traffic is a prime example of how AI can aid in identifying and mitigating threats before they escalate into full-blown attacks. The ability to detect network anomalies with minimal effort can save organizations significant time and resources, preventing larger-scale compromises.
Fact Checker Results 🔍
Vulnerability Used: The attackers exploited CVE-2023-39780, a command injection flaw in ASUS RT-AX55 routers, allowing them to execute arbitrary system commands.
Persistence: The backdoor remains intact across firmware updates and reboots, making recovery difficult without specific intervention.
Scale: Nearly 9,000 routers have been compromised, but the attack is remarkably stealthy, with only 30 related requests observed in three months.
Prediction 🔮
Given the stealthy nature of the AyySSHush botnet and the sophisticated techniques used by its operators, we can expect this campaign to evolve further. It’s likely that the botnet will expand its reach by targeting additional router models or devices with similar vulnerabilities. As IoT and network-connected devices proliferate, attackers may continue to exploit default configurations and known flaws, putting an increasing number of vulnerable devices at risk.
Moreover, this incident underscores the need for more robust, automated defenses in home and enterprise networks. Devices that are exposed to the internet should undergo regular security checks, including vulnerability scanning and configuration audits, to prevent similar attacks. Organizations should consider deploying advanced traffic analysis tools like those used by GreyNoise to detect anomalies early and avoid being caught off-guard by future threats.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
