- GreyNoise finds new hacking campaign targeting Asus hardware
- The threat actors are exploiting poorly secured routers to gain initial access
- They abuse known flaws to establish persistent access and create a botnet
UPDATE: Asus has issued a statement noting the flaws can be fixed, advising users to update their firmware and create a strong password.
“Devices that have been updated with the latest firmware and secured with a strong administrator password can prevent future exploitation of this vulnerability and block similar attack methods,” the company said.
“Users are recommended to use a password at least 10 characters long, and include uppercase and lowercase letters, numbers, and symbols. In addition, ASUS recommends keeping device firmware up to date to ensure ongoing protection.”
Thousands of Asus routers were compromised and turned into a malicious botnet after hackers uncovered a troubling security vulnerability, experts have warned.
“This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet,” noted cybersecurity researchers GreyNoise, who first spotted the attacks in mid-March 2025.
Using Sift (GreyNoise’s network payload analysis tool) and a fully emulated ASUS router profile running in the GreyNoise Global Observation Grid, the researchers determined that the threat actors were first breaching routers with brute force and authentication bypassing.
Advanced operations
These poorly configured routers were easy pickings for the attackers, who then proceeded to exploit a command injection flaw to run system commands.
This flaw is tracked as CVE-2023-39780 and carries a severity score of 8.8/10 (high).
The vulnerability was first published in the National Vulnerability Database (NVD) on September 11, 2023, and since then ASUS released firmware updates to address it.
“The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks,” GreyNoise further explains.
“While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.”
The attackers use the ability to run system commands, to install a backdoor that’s stored in non-volatile memory (NVRAM).
This means the access they establish survives both reboots and firmware updates. The attackers can maintain long-term access without dropping stage-two malware, or leaving other obvious traces.
We don’t know exactly how many devices are compromised, other than that there are “thousands”, with the number “steadily increasing”.
You might also like
link