Thousands of ASUS routers have been hacked in an ongoing cyberattack that experts warn may be laying the foundation for a large-scale botnet.
Discovered in March but disclosed publicly on Wednesday, the campaign has already compromised over 9,000 internet-exposed ASUS routers, and the number continues to grow. Security firm GreyNoise, which uncovered the breach, described the attack as stealthy, persistent, and executed with high-level precision.
How the hack was discovered
GreyNoise first spotted signs of unusual behavior on March 17, when its AI-powered analysis tool Sift flagged three suspicious HTTP POST requests aimed at ASUS router endpoints. A day later, the researchers began a more in-depth investigation.
Using emulated ASUS router profiles and global traffic monitoring, GreyNoise was able to fully reconstruct the attack sequence. According to the company, these attacks “would likely have remained invisible” without such infrastructure, as the attackers disabled logs and avoided using malware.
SEE: IT Leader’s Guide to Cybersecurity Awareness Training (TechRepublic Premium)
How the attack works
The hackers exploited a known security flaw, CVE-2023-39780 — a command injection vulnerability — to run system commands on the routers. They also used two additional authentication bypass techniques that haven’t been assigned official CVE numbers yet.
Once inside the router, attackers:
- Enabled SSH access on a non-standard port (TCP/53282).
- Inserted their own SSH public key for remote access.
- Stored the backdoor in NVRAM, a memory that survives both reboots and firmware updates.
- Disabled router logging, leaving almost no digital footprint.
“This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet,” GreyNoise wrote in their blog post.
Scope of the breach
As of May 27, scanning data from the internet mapping platform Censys confirmed that at least 9,000 ASUS routers had been affected. The campaign has largely gone unnoticed in global traffic, with only 30 related requests recorded over three months by GreyNoise sensors.
The routers at risk are primarily those that are exposed directly to the internet, often found in homes and small offices. Once compromised, attackers maintain control regardless of whether the device is rebooted or updated with new firmware.
Possible motives and threat actors
Although GreyNoise has not made any official attribution, the company noted that the tactics used mirror those of advanced persistent threat (APT) groups.
“The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks,” GreyNoise noted.
Meanwhile, Sekoia, a cybersecurity firm, linked the ASUS router breach to a threat actor they call ViciousTrap, who they say previously exploited vulnerabilities in Cisco Small Business routers as well. According to Sekoia, ViciousTrap is actively monitoring a range of internet-connected devices, including routers, DVRs, and management controllers.
What ASUS router owners should do
If you use an ASUS router, here’s what GreyNoise:
- Log in to your router and verify that SSH access is enabled, particularly on port 53282.
- Look for an unfamiliar SSH public key starting with: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…
- If SSH is enabled and unfamiliar keys are present, disable SSH access immediately.
- Update your router’s firmware; ASUS has already released a fix for CVE-2023-39780.
- Factory reset your router and manually reconfigure it to remove lingering backdoor traces.
- Block the following IPs, which were associated with the attackers:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
While no malware was dropped and no ransom was demanded, this campaign may be the precursor to a more serious threat. Since the attack leaves no evident traces, many users may remain unaware that their devices are compromised.
