Thousands of Asus Routers Compromised in Massive Cyberattack, Suspected State Hackers Behind It
Thousands of Asus routers have been compromised in a massive cyberattack. The hackers have reportedly installed an invisible and permanent backdoor. Here are the details of the situation.
Nearly 10,000 Asus routers were affected by a large-scale cyberattack. The attack was discovered by cybersecurity companies GreyNoise and Sekoia.io. It seems that the attack was a brute force attack carried out by state-backed hackers. The goal? To create a network of routers that can be remotely controlled and turned into honeypots – traps for other hackers.
The Hackers’ Invisible Backdoor
This is a very concerning attack because the backdoor installed is both invisible and permanent. The hackers use techniques that bypass the router’s normal authentication process. Through this vulnerability, they can install an SSH key and save the router’s settings in the NVRAM, making the change permanent.
In addition to Asus, other devices such as Linksys, QNAP, Araknis Networks, and D-Link were also affected. The primary target of these attacks seems to be in Asia, with the goal of turning the routers into honeypots for other hackers.
How to Check If Your Router Has Been Compromised
If you think your router might have been compromised, here’s how to check: open the control panel of your router. If you see an SSH key starting with “_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…” then it’s likely the key installed by the hackers. If this is the case, you should remove it manually to close the vulnerability.
This type of threat is difficult to detect because no visible malware or obvious traces are left behind. Asus recommends updating your router’s firmware to the latest version. GreyNoise also suggests blocking these potentially harmful IPs on your firewall:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
