TZUTC: -0500
MSGID: 1162.consprcy@1:2320/105 2c9efad7
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
Thousands of Asus routers hacked to create a major botnet planting damaging
malware

Date:
Thu, 29 May 2025 13:27:00 +0000

Description:
Hackers are brute-forcing older Asus routers and establishing persistent
access.

FULL STORY

Thousands of ASUS routers were compromised and turned into a malicious botnet
after hackers uncovered a troubling security vulnerability, experts have
warned. 

This appears to be part of a stealth operation to assemble a distributed
network of backdoor devices  potentially laying the groundwork for a future
botnet, noted cybersecurity researchers GreyNoise, who first spotted the
attacks in mid-March 2025. 

Using Sift (GreyNoises network payload analysis tool) and a fully emulated
ASUS router profile running in the GreyNoise Global Observation Grid, the
researchers determined that the threat actors were first breaching routers
with brute force and authentication bypassing.

Advanced operations 

These poorly configured routers were easy pickings for the attackers, who 
then proceeded to exploit a command injection flaw to run system commands. 

This flaw is tracked as CVE-2023-39780 and carries a severity score of 8.8/10
(high). 

The vulnerability was first published in the National Vulnerability Database
(NVD) on September 11, 2023, and since then ASUS released firmware updates to
address it. 

The tactics used in this campaign  stealthy initial access, use of built-in
system features for persistence, and careful avoidance of detection  are
consistent with those seen in advanced, long-term operations, including
activity associated with advanced persistent threat (APT) actors and
operational relay box (ORB) networks, GreyNoise further explains. 

While GreyNoise has made no attribution, the level of tradecraft suggests a
well-resourced and highly capable adversary. 

The attackers use the ability to run system commands, to install a backdoor
thats stored in non-volatile memory (NVRAM). 

This means the access they establish survives both reboots and firmware
updates. The attackers can maintain long-term access without dropping
stage-two malware , or leaving other obvious traces. 

We dont know exactly how many devices are compromised, other than that there
are thousands, with the number steadily increasing.

======================================================================
Link to news story:
https://www.techradar.com/pro/security/thousands-of-asus-routers-hacked-to-cre
ate-a-major-botnet-planting-damaging-malware

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35
PATH: 2320/105 229/426