Backdoor giving full administrative control can survive reboots and firmware updates.

cross-posted from: https://rss.ponder.cat/post/193175

Thousands of home and small office routers manufactured by Asus are being infected with a stealthy backdoor that can survive reboots and firmware updates in an attack by a nation-state or another well-resourced threat actor, researchers said.

The unknown attackers gain access to the devices by exploiting now-patched vulnerabilities, some of which have never been tracked through the internationally recognized CVE system. After gaining unauthorized administrative control of the devices, the threat actor installs a public encryption key for access to the device through SSH. From then on, anyone with the private key can automatically log in to the device with administrative system rights.

Durable control

“‍The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices,” researchers from security firm GreyNoise reported Wednesday. “The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.”

Read full article

Comments

From Ars Technica - All content via this RSS feed

  • who@feddit.orgEnglish
    2·
    9 days ago

    At least one of the named routers (RT-AC3100) is supported by OpenWRT, which generally has a better security track record than stock firmware.

  • LastYearsIrritant@sopuli.xyzEnglish
    2·
    10 days ago

    Kinda tricky to tell what exactly I’m supposed to check.

    I run an ASUS RT-AX86S

    To check if the settings have been compromised:
    Log into the router under http://192.168.1.1/
    Advanced Settings/Administration
    System tab
    Service section
    Enable SSH should be set to OFF

  • MangoPenguin@lemmy.blahaj.zoneEnglish
    0·
    10 days ago

    Oh wow, the router allows Admin and SSH on the WAN port? That seems like a massive problem to start with.

    WAN should allow nothing except established.

    • LastYearsIrritant@sopuli.xyzEnglish
      1·
      10 days ago

      It’s off by default, but it allows you to turn it on in the advanced settings. Seems like a good compromise, especially since it lets you whitelist clients.

      If you were using the router as a secondary network, like for IoT or homelab, it would kind of make sense to allow SSH or other logins from WAN, as long as the WAN was also your network and not the open internet.

  • zapzap@lemmings.worldEnglish
    01·
    9 days ago

    Those “backdoors” are called RJ-45 jacks. That’s where the bits get in and out.