Full Report
Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco, D-Link, and Linksys. [...]
Analysis Summary
# Incident Report: Botnet Infiltration and Persistent SSH Backdoor on ASUS Routers
## Executive Summary
A botnet campaign, tentatively identified as overlapping with "Vicious Trap," compromised over 9,000 ASUS routers by exploiting unpatched vulnerabilities. The primary goal was to establish a persistent SSH backdoor, likely for future botnet operations, rather than immediate disruption like DDoS. The response involves urging users to immediately apply firmware updates provided by ASUS and perform a factory reset if compromise is suspected.
## Incident Details
- **Discovery Date:** Not explicitly stated, but GreyNoise analysis flagged malicious requests triggering human inspection.
- **Incident Date:** Ongoing campaign detected via malicious requests.
- **Affected Organization:** End-users of vulnerable ASUS routers (estimated 9,000+ affected).
- **Sector:** Consumer/SOHO Networking Equipment.
- **Geography:** Global (Implied, targeting publicly accessible routers).
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed.
- **Vector:** Exploitation of vulnerabilities in ASUS routers (CVE-2023-39780 explicitly mentioned as addressed by recent updates; potential overlap with CVE-2021-32030 mentioned in context of similar campaigns).
- **Details:** Attackers performed malicious requests targeting the devices.
### Lateral Movement
- Not detailed for this phase as the attack targeted the device firmware/OS itself, not internal network movement following initial access.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Potential future impact includes the redirection of network traffic to attacker-controlled devices (as seen in the broader "Vicious Trap" campaign). The immediate impact was the establishment of persistence.
### Detection & Response
- **How it was discovered:** GreyNoise's AI-powered analysis flagged four malicious requests for human inspection, leading to identification of the campaign (tentatively dubbed AyySSHush).
- **Response actions taken:** ASUS released security updates addressing CVE-2023-39780. Security researchers provided IoCs and recommended remediation steps for affected users.
## Attack Methodology
- **Initial Access:** Exploitation of known or zero-day vulnerabilities in ASUS router firmware (mention of CVE-2023-39780 leading to compromise).
- **Persistence:** Addition of an attacker-controlled SSH key to the router's `authorized_keys` file, granting persistent remote access.
- **Privilege Escalation:** Assumed successful, as installing persistent persistence requires high-level access to the router OS.
- **Defense Evasion:** Not detailed, but likely leveraging weak default configurations or unpatched flaws.
- **Credential Access:** Not explicitly detailed, but the primary goal was to implant an SSH key, bypassing traditional username/password authentication.
- **Discovery:** Likely scanning public IP spaces for vulnerable ASUS router management interfaces.
- **Lateral Movement:** Not the primary goal; the focus was on creating a persistent foothold on the router itself for botnet building.
- **Collection:** No active exfiltration confirmed; goal was groundwork for future botnet.
- **Exfiltration:** None confirmed during the observed activity.
- **Impact:** Establishment of a persistent backdoor for network control or future use.
## Impact Assessment
- **Financial:** TBD; indirect costs associated with patching, investigations, and securing devices.
- **Data Breach:** No confirmed specific data exfiltration detailed in the snippet. The compromise is primarily a control plane breach.
- **Operational:** Potential compromise of networking routines or use of routers as attack nodes; risk of traffic redirection based on similar campaign observations.
- **Reputational:** Potential reputational damage to ASUS due to vulnerability exploitation, though user security posture is also a factor.
## Indicators of Compromise
- **Network indicators (Defanged):**
- `101.99.99[.]151`
- `101.99.94[.]173`
- `79.141.163[.]179`
- `111.90.146[.]237`
- **File indicators:** Suspicious addition of an unauthorized SSH key to the router's `authorized_keys` file.
- **Behavioral indicators:** Malicious HTTP requests targeting routers susceptible to the exploited CVEs.
## Response Actions
- **Containment measures:** Block the listed malicious IP addresses.
- **Eradication steps:** Advised users suspected of compromise to perform a factory reset of the router.
- **Recovery actions:** Reconfigure the router from scratch using strong administrator passwords and immediately upgrade firmware.
## Lessons Learned
- **Key takeaways:** Unpatched consumer/SOHO networking hardware remains a critical pathway for botnet construction and long-term threat actor persistence.
- **What could have been done better:** Faster patching cycles or improved default security configurations on user-facing router firmware are necessary prerequisites for mitigating such mass exploitation.
## Recommendations
- Immediately upgrade ASUS router firmware to versions addressing CVE-2023-39780 (and any other relevant vendor-released patches).
- For any device exhibiting signs of compromise, perform a full factory reset to ensure complete removal of the injected SSH key.
- Implement strong, unique administrator credentials on all network edge devices.
- Block the identified malicious source IP addresses at the network perimeter where feasible.