cross-posted from: https://rss.ponder.cat/post/193175
Thousands of home and small office routers manufactured by Asus are being infected with a stealthy backdoor that can survive reboots and firmware updates in an attack by a nation-state or another well-resourced threat actor, researchers said.
The unknown attackers gain access to the devices by exploiting now-patched vulnerabilities, some of which have never been tracked through the internationally recognized CVE system. After gaining unauthorized administrative control of the devices, the threat actor installs a public encryption key for access to the device through SSH. From then on, anyone with the private key can automatically log in to the device with administrative system rights.
Durable control
“The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices,” researchers from security firm GreyNoise reported Wednesday. “The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.”
From Ars Technica - All content via this RSS feed
Persistent backdoor was my nickname on college
At least one of the named routers (RT-AC3100) is supported by OpenWRT, which generally has a better security track record than stock firmware.
Nobody is going to install this on my TP-Link. The back door is factory.
Kinda tricky to tell what exactly I’m supposed to check.
I run an ASUS RT-AX86S
To check if the settings have been compromised:
Log into the router under http://192.168.1.1/
Advanced Settings/Administration
System tab
Service section
Enable SSH should be set to OFFWouldn’t a factory reset also “fix” it then?
Yes, except if they alter the factory image. In this case a new factory image has to be flashed before factory reset.
I haven’t tried on my ASUS router, yet. But there might be a serial port in one of the RJ45 sockets, as on my old netgear. Plug in your PC there and run the manufacturer’s flash utility.
This trick worked for me when a normal factory reset didn’t help getting back acces to the WebUI.
Took a while to find a list of router models, I doubt this is an exclusive list, but at least bleeping computer has a list at all.
The threat monitoring firm reports that the attacks combine brute-forcing login credentials, bypassing authentication, and exploiting older vulnerabilities to compromise ASUS routers, including the RT-AC3100, RT-AC3200, and RT-AX55 models.
Is the RT-AX58U affected?
