A significant cybersecurity threat has emerged with thousands of ASUS routers being compromised through malware-free backdoors. Threat actors, suspected to be highly sophisticated, have exploited security vulnerabilities and legitimate router features to establish persistent access that survives firmware updates and reboots, making them difficult to remove. The attacks were first detected by GreyNoise’s AI-powered Sift tool in mid-March and were disclosed after coordination with government officials and industry partners.
Sekoia.io also reported the compromise of thousands of ASUS routers in their investigation of a broader campaign, dubbed ViciousTrap, in which edge devices from other brands were also compromised to create a honeypot network. However, the ASUS routers were not used to create hone, and the threat actors gained SSH access using the same port, TCP/53282, identified by GreyNoise in their report. The backdoor campaign affects multiple ASUS router models, including the RT-AC3200, RT-AC3100, GT-AC2900, and Lyra Mini.
GreyNoise advises users to perform a full factory reset and manually reconfigure any potentially compromised device. To identify a breach, users should check for SSH access on TCP port 53282 and inspect the authorized_keys file for unauthorized entries.