Thousands of ASUS routers have been kidnapped, but I will not be disturbed yet

Asus your Wi-Fi Router It may have been hacked, according to a new blog from the Cyber ​​Security Company Greynoise.

As of May 27, more than 9,000 ASUS routers have been confirmed as the company describes as a “continuous exploitation campaign”.

Greynoise has tracked the attack since March 17. In the following months, they saw only 30 requests related to the attack, indicating how calm of the campaign. The attackers have maintained access to the affected routers even after the boot and fixed program updates, “gave them solid control over the affected devices,” says the blog post.

Although this seems very scary, you may not need it Replace your router Just yet. Your personal data is not the goal of attacks like this. Instead, the attacker uses the affected devices as ships in a larger game.

“The Internet of Things is at risk, such as smart cameras or a router, has enough mathematical power that you can use networks of tens of thousands of them to carry out a service denial attack,” said Yuvrag Agarawal, Carnegie Mellon, Professor of Computer Science.

Compare it with the reputation Mirai Putnit attack From 2016, she recorded web sites such as Twitter, Netflix, Reddit and Pinterest.

Agarawal added: “Don’t try to settle your laptop or your iPhone, isn’t it? This is not what you are doing.” “Users will have to ignore some different guarantees for them to be subject to someone who steals their accreditation data.”

Greynoise did not say exactly where he believed the attack came, but he noticed that “the level of Tradecraft refers to a very well and able discount.”

the Cyber ​​Security Agency and infrastructure (CISA) has appointed China, Russia, North Korea and Iran as potential actors in similar attacks in the past. A few Wi-Fi routers were immune to such violations. Cisa retains a list of Known weakness (KEV) It has been observed in the wilderness, and every manufacturer appears almost somewhere.

“We find things in everything,” said Thomas Piece, CEO of Cyber ​​Security Company and former security contractor for the Ministry of Energy. In a previous interview.

“The problem with Cisa Kev (the list) is, if everything is listed in the list, what is the quality of that list?” He added a pace. “Basically, every connection device on this planet has at least one vulnerability on Cisa Kev.”

While I noticed for the first time the attack in March, Greynoise said that he has been waiting for now to make its results so that he could coordinate with government and industry partners.

ASUS representative rejected CNET to comment on this story and refer me to Consultative page for product security For the latest updates.

What to do if you have ASUS

In most attacks, the manufacturer of the router can issue update for fixed programs that repair weakness. But in this case, the attackers exploited a security defect that allowed them to keep the rear access even after restart and fixed updates.

Because this key is added using the official ASUS features, this configuration is continued to be changed through fixed programming promotions, “Greynoise Another post was observed. “If you are previously exploited, the upgrade of the fixed program will not remove the SSH Backdooor.”

The steps that you will need to take to see if your router has endangered – and perhaps repair – it is somewhat technique, so you carry with me here.

1. Log in to your router. You can do this via ASUS or go to http://www.asusrouter.com.
2. Look for the “SSH” option within service or management settings.
3. If your router is violated in this campaign, these settings will appear that someone can log in to using SSH via Port 53282 using the pollinated SSH SSH key for: SSH-Sta AAAB3nzac1YC2EAAAAAAAAAAAO41NBOVFFJ4HLVMVMV+YPSXXMDDDZDZ …

If your router is not infected, your next step will be to update the fixed programs immediately. ASUS is fixed with his latest update, which he should take care of.

If your router He has It was injured, the back door will remain even if you update the fixed programs. In this case, you will need to follow these steps to prevent unauthorized access:

1. SSH disable in service or management settings.
2. Block the four IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237.
3. Restore the router to the factory settings.
4. Update to the latest fixed programs.