Thousands of ASUS Routers Compromised in Suspected State-Sponsored Cyberattack

SecurityScorecard’s STRIKE team has worked with ASUS to unveil a massive malware campaign against end-of-life ASUS WRT routers.

Specifically, the attackers targeted ASUS’ AiCloud service, a service that allows you to combine your home network with an “unlimited personal cloud” that you can access from anywhere in the world via a mobile app. Why a router needs any cloud features is up for debate, but these services should be avoided not just for privacy but also for security reasons, especially if your device is outdated or "end-of-life."

End-of-life devices are devices that no longer receive security updates from the manufacturer. This leaves them vulnerable to n-day vulnerabilities, or security issues that have been known about for a period of time, in contrast with 0-days which are vulnerabilities that are unknown to the manufacturer.

These n-days can pile up and leave your device more and more vulnerable over time, and give attackers time to develop exploits that can be mass-deployed against swathes of people.

The campaign relied on multiple OS command injection vulnerabilities (CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, and CVE-2023-41348) to gain high-level privileges on the device.

Once the hackers compromise a device, it becomes part of a global network of infected routers. SecurityScorecard’s STRIKE team identified over 50,000 unique IP addresses belonging to these compromised devices over the last six months.

The team were able to track the campaign thanks to “a shared, self-signed TLS certificate with an unusually long 100-year expiration period” that they were able to use as an indicator of compromise.

If you’re an owner of an ASUS router, update immediately, or if it’s end-of-life, purchase a new one or install custom firmware to stay secure.