tomshardware[.]com/tech-industry/cyber-security/asus-responds-to-concerns-over-9-000-routers-compromised-by-botnet-firmware-updates-and-factory-reset-can-purge-routers-of-persistent-backdoor
Asus has issued multiple statements regarding a highly publicized botnet attack infecting over 9,000 routers to date. Per our previous reporting, the "AyySSHush" botnet has infected its hosts through a mix of brute-force attacks and authentication bypasses, and hides its backdoor in non-volatile memory, thus attempting to hide from firmware updates and refreshes.
In an official statement regarding the insecurity, Asus told Tom's Hardware that the vulnerabilities can be avoided for those yet uninfected, and fixed for those routers that have been compromised. The hostile agents utilize a known command injection flaw, CVE-2023-39780, to enable SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for remote access.
This exploit has been patched in the latest Asus firmware update, and as such, Asus advises all users of its routers to update their firmware. After this, Asus advises a factory reset, followed by adding a strong administrator password. For those users with routers that have reached end-of-life support, or those who are tech-savvy enough to open up their router settings and wish to avoid a factory reset, Asus recommends "disabling all remote access features such as SSH, DDNS, AiCloud, or Web Access from WAN, and confirming that the SSH (especially TCP port 53282) is not exposed to the Internet."
