Cybersecurity Alert: Compromised Asus Routers Linked to Nation-State Threat Actor
In a significant development, GreyNoise has reported the detection of a cyber campaign targeting Asus routers beginning in mid-March. This revelation follows a brief delay in reporting, during which GreyNoise informed unnamed governmental bodies, suggesting a potential affiliation with a nation-state actor.
The activities observed form part of a broader operation identified by security firm Sekoia, which highlights alarming findings regarding the extent of the compromise. Researchers from Sekoia indicated that internet scans, facilitated by network intelligence firm Censys, revealed that approximately 9,500 Asus routers may have fallen victim to a threat actor dubbed ViciousTrap.
The attack vector relies on multiple vulnerabilities within the devices, notably the command injection flaw designated CVE-2023-39780. This particular vulnerability enables attackers to execute arbitrary system commands and has been addressed in a recent firmware update by Asus. While additional vulnerabilities have also been patched, they have yet to receive CVE tracking citations, raising concerns about their disclosure status.
Router users must actively monitor their devices to ascertain whether they have been compromised. Key indicators of infection can be found in the SSH settings within the router’s configuration panel. Infected devices will permit SSH login over port 53282, utilizing a digital certificate with a distinctive truncated key.
To mitigate the threat, users should promptly remove any identified keys and the associated port setting. Evidence of unauthorized access can also be seen in system logs, which may show connections from specific IP addresses linked to the attack. As best practice, all router users should ensure that their devices receive timely security updates to eliminate vulnerabilities.
The implications of these findings underscore the pressing need for heightened awareness regarding cybersecurity risks, particularly among business owners who may be targets of state-sponsored cyber threats. The tactics observed in this incident align with several categories within the MITRE ATT&CK framework, including initial access, exploitation of vulnerabilities, and persistence, highlighting the multifaceted nature of the threat landscape.
As organizations continue to navigate the complexities of cybersecurity, maintaining vigilance and proactive posture is crucial in safeguarding their technology infrastructures against such sophisticated threat actors.
