Thousands of Asus routers are being hit with stealthy, persistent backdoors (arstechnica.com)

submitted 1 week ago by schizoidman@lemm.ee to c/privacy@lemmy.ml

14 comments fedilink hide all child comments

cross-posted from: https://rss.ponder.cat/post/193175

Thousands of home and small office routers manufactured by Asus are being infected with a stealthy backdoor that can survive reboots and firmware updates in an attack by a nation-state or another well-resourced threat actor, researchers said.

The unknown attackers gain access to the devices by exploiting now-patched vulnerabilities, some of which have never been tracked through the internationally recognized CVE system. After gaining unauthorized administrative control of the devices, the threat actor installs a public encryption key for access to the device through SSH. From then on, anyone with the private key can automatically log in to the device with administrative system rights.

Durable control

“‍The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices,” researchers from security firm GreyNoise reported Wednesday. “The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.”

Read full article

Comments

From Ars Technica - All content via this RSS feed

top 14 comments

sorted by: hot top controversial new old

[-] dan69@lemmy.world 4 points 5 days ago

Welp the jokes on me! Haven’t even updated my 10y old router since 3 moves ago..

[-] CCMan1701A@startrek.website 5 points 6 days ago* (last edited 5 days ago)

I didn't read the article, but how does one know if they have the infection?

My router is updated.

Edit: i see in the article now. Had time to read it today. 👍 I also verified i never has SSH or remote admin enabled. So i should be ok.

[-] hyacin@lemmy.ml 2 points 5 days ago

I skimmed a different article that mentioned it disables the Trend Micro stuff - which is the whole reason I buy Asus routers (can't tell you how many stupid things children have downloaded or bad phishing/malicious/anna kournakova naked links they've clicked and it has stopped!) so I'm taking the fact that it is still enabled and doing the good things to mean I'm good.

[-] CCMan1701A@startrek.website 2 points 5 days ago* (last edited 5 days ago)

Cool, i don't know if my system has any trend micro stuff. Which features does this enable?

Edit: i see it listed as AI protection. Hmm...

[-] hyacin@lemmy.ml 2 points 4 days ago

Yeah, two way IPS, malicious site blocking, and "infected device prevention and blocking" which stops compromised hosts from talking to C&C servers. I've had the last one show me one of the children's computers/phones was infected and needed to be cleansed with fire, at least twice. All in all incredible protection against "users" and their careless behaviour!

[-] CCMan1701A@startrek.website 2 points 4 days ago

I turned it on and ill see what it reports after a week or so. Thanks for the info. 👍✌️

[-] melroy@kbin.melroy.org 4 points 6 days ago

The real issue with this is actually allowing bad actors having a free ddos network. And this ddos network is spread across nations and across all kind of legit IPs. No cloud ranges. Etc.

Meaning it's very hard to detect or block.

[-] warmaster@lemmy.world 6 points 1 week ago

People still on Windows 10 by next year: I never got a virus.

Bro, you never got a virus that you know of.

[-] bla_bla_bla@feddit.org 6 points 1 week ago

If you have blocked so that access to your router is only through the local network, would it still be possible for hackers to gain access?

(Where the attack vector point STARTS with the router, I am fullt aware you can infect a machine and connect to the router that way)

[-] aspirate2959@sh.itjust.works 1 points 5 days ago

It's safer to assume "yes" and check your router, but the CVE links indicate compromises through the web portal of the device, and there is no way to compromise that from the Internet if your router is behind a NAT without a hole punched for web access.

[-] AtariDump@lemmy.world 1 points 6 days ago

Yes; they’re using exploits to do so.

[-] furrowsofar@beehaw.org 5 points 1 week ago* (last edited 1 week ago)

Wondering same thing. Allowing web interface access via wan has proven to be unwise in general.

Also wondering if DDWRT has the vulnerabilities?

Seems a bit over blown. Looks like firmware update and config reset should close the issue.

[-] melroy@kbin.melroy.org 3 points 6 days ago

Maybe it will survive firmware update. But of course it won't survive flashing it with a new openwrt image.

[-] bountygiver@lemmy.ml 3 points 6 days ago

it seems it's because the modem has hidden SSH settings that is stored together alongside your user settings although it is not accessible from your admin panel. So flashing openWRT would also override those settings anyways (even if it does not, those old settings means nothing to openWRT)

this post was submitted on 29 May 2025

86 points (100.0% liked)

Privacy

38384 readers

159 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS