Greynoise said it discovered the sport in mid-March and reported it after the company notified the unnamed government agencies. This detail further suggests that threat actors may have some connection with the nation-state.
The company’s researchers went on to say the activity they observed was part of a large campaign reported by security firm Sekoia last week. Researchers at Sekoia say that internet scans by cyber intelligence company Censys suggest that up to 9,500 ASUS routers may have been compromised, a name used to track unknown threat actors.
Attackers are retraining the device by exploiting multiple vulnerabilities. One of them is CVE-2023-39780, a command injection defect that allows execution of system commands, which were patched in a recent firmware update, Greynoise said. The remaining vulnerabilities have also been patched, but the CVE tracking name has not been received for unknown reasons.
The only way for router users to determine if their device is infected is to check the SSH settings in the configuration panel. The infected router will prove that the device can be logged in via port 53282 via a digital certificate with a truncated key
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ...
To delete the backdoor, infected users should delete the key and port settings.
One can also determine whether the system log has been accessed through IP address 101.99.91.[.]151, 101.99.94[.]173, 79.141.163[.]179, or 111.90.146[.]237. Users of any router brand should always ensure that their devices are timely secured.
