Asus Routers Compromised in ‘WrtHug’ Campaign

Cybersecurity researchers have identified a significant operation involving the takeover of thousands of Asus routers, believed to be linked to suspected Chinese hackers. This campaign appears to target devices primarily located in Taiwan, aligning with observations that China’s entities are strategically exploiting unprotected routers and Internet of Things (IoT) devices as part of their cyber-espionage tactics.

Researchers from SecurityScorecard have labeled this operation as “WrtHug,” tracking its activities over several months. A distinctive feature of the compromised devices is a self-signed TLS certificate set to expire in 2122. Typically utilized for secure communications, this certificate has been identified on devices using AiCloud, a service allowing file sharing over the internet. Notably, Asus routers conventionally generate certificates with a decade-long lifespan.

By tracing the unique TLS certificates, the researchers uncovered around 50,000 distinct internet addresses affected by the WrtHug operation. While there is no concrete evidence directly attributing these cyber actors to China, the circumstantial indicators suggest a deliberate construction of operational relay boxes (ORBs) for facilitating Beijing’s cyber-espionage initiatives.

Various intelligence agencies employ ORBs to obfuscate malicious activities by routing internet traffic through compromised devices, a tactic already favored by Chinese cyberespionage groups. The WrtHug operation reveals a concerning trend, particularly due to the notable concentration of impacted devices in Taiwan. Estimates indicate that between a third and half of the compromised routers are linked to IP addresses in Taiwan, raising suspicions about the geographic focus of the attack.

Both WrtHug and a previously observed campaign, AyySSHush, which aimed to transform Asus routers into a botnet, exhibit striking similarities. GreyNoise conducted an analysis earlier this year, stating that the sophisticated techniques used signal a well-resourced adversary possibly involved in constructing an ORB. Both WrtHug and AyySSHush exploit command injection vulnerabilities tied to CVE-2023-39780, suggesting a potential overlap in the campaigns.

The ongoing targeting of small office and home office routers continues to present a significant concern, as many owners neglect regular security updates for these devices. Despite improvements in auto-update capabilities by manufacturers, routers that have reached end of life often remain unprotected. In light of recent developments, the FBI issued a public service announcement urging SOHO router owners to consider upgrading unsupported devices or disabling remote management functions.

As businesses navigate the growing cyber threat landscape, understanding tactics outlined in the MITRE ATT&CK framework—such as initial access, persistence, and privilege escalation—proves crucial. The implications of the WrtHug campaign showcase the need for heightened security measures and vigilance among organizations reliant on connected devices, particularly in vulnerable sectors.