A massive cyber attack has hit over 9,000 ASUS routers worldwide. This attack, known as “AyySSHush”, uses a combination of brute force and authentication flaws to gain remote access to the devices. The attackers then exploit a vulnerability to execute arbitrary commands on the system.
The attack is particularly sneaky because it enables SSH access on a custom port and inserts a public key controlled by the attacker into the authorized_keys file. This allows the backdoor to persist even after firmware updates or device restarts. To avoid detection, the attackers disable system logs and security features like AiProtection from Trend Micro. They also don’t install traditional malware, making it harder to spot the intrusion.
The affected ASUS router models include RT-AC3100, RT-AC3200, and RT-AX55. Most of the compromised devices are found in home and small business networks. The attack has a global reach, but it’s relatively stealthy – only 30 malicious requests related to this campaign have been detected in the past three months.
To mitigate the risk, users should check if SSH access is enabled on the custom port, review the authorized_keys file for unauthorized SSH keys, and block specific malicious IP addresses. If a router has already been compromised, a full factory reset and manual reconfiguration may be necessary. ASUS has released a firmware update to fix the vulnerability, but it won’t remove existing backdoors.
How the attack works
The attackers use brute force and authentication flaws to gain access to the routers. They then exploit the CVE-2023-39780 vulnerability to execute arbitrary commands. The backdoor persists even after firmware updates or device restarts because it’s stored in the router’s non-volatile memory.
Affected models and scope
The affected router models are mostly used in home and small business networks. The attack has a global reach, but it’s relatively stealthy. Only 30 malicious requests related to this campaign have been detected in the past three months.
Mitigation measures
To stay safe, users should:
- Check SSH access on the custom port TCP/53282.
- Review the authorized_keys file for unauthorized SSH keys.
- Block malicious IP addresses:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
- Perform a full factory reset and manual reconfiguration if the router has already been compromised.
ASUS has released a firmware update to fix the vulnerability, but users must take additional steps to ensure their devices are secure.