{"id":4271,"date":"2025-05-29T10:03:46","date_gmt":"2025-05-29T10:03:46","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/05\/29\/new-botnet-hijacks-9000-asus-routers-enables-ssh-access-by-injecting-public-key\/"},"modified":"2025-05-29T10:03:46","modified_gmt":"2025-05-29T10:03:46","slug":"new-botnet-hijacks-9000-asus-routers-enables-ssh-access-by-injecting-public-key","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/05\/29\/new-botnet-hijacks-9000-asus-routers-enables-ssh-access-by-injecting-public-key\/","title":{"rendered":"New Botnet Hijacks 9,000 ASUS Routers & Enables SSH Access by Injecting Public Key"},"content":{"rendered":"\n
New Botnet Hijacks 9,000 ASUS Routers & Enables SSH Access by Injecting Public Key<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated botnet campaign dubbed \u201cAyySSHush\u201d has compromised over 9,000 ASUS routers<\/a> worldwide, establishing persistent backdoor access that survives firmware updates and reboots.\u00a0<\/p>\n

The stealthy operation, first detected in March 2025, demonstrates advanced nation-state-level tradecraft by exploiting authentication vulnerabilities and legitimate router features to maintain long-term control without deploying traditional malware.<\/p>\n

Attack Chain Exploiting ASUS Routers<\/strong><\/h2>\n

The attackers employ a multi-stage exploitation technique that begins with brute-force login attempts against ASUS router interfaces, followed by leveraging two previously undisclosed authentication bypass vulnerabilities.\u00a0<\/p>\n

Once privileged access is obtained, the threat actors exploit CVE-2023-39780, an authenticated command injection flaw<\/a> in ASUS router firmware, to execute arbitrary system commands.<\/p>\n

The critical payload exploits the oauth_google_refresh_token parameter through a POST request to \/start_apply.htm, injecting the command touch \/tmp\/BWSQL_LOG to enable Bandwidth SQL logging features.\u00a0<\/p>\n

This manipulation creates an attack vector through vulnerable functions in the router\u2019s bwsdpi_sqlite binary that pass user-controlled data directly to system() calls.<\/p>\n

The attackers then enable SSH access on the non-standard TCP port 53282 and inject their public SSH key (truncated):\u00a0<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

This configuration change persists across firmware upgrades because it utilizes official ASUS settings stored in non-volatile memory (NVRAM).<\/p>\n

GreyNoise\u2019s discovery<\/a> was made possible through their AI-powered threat hunting tool called \u201cSift,\u201d which flagged just three anomalous HTTP POST requests among millions of daily internet traffic patterns.\u00a0<\/p>\n

The campaign\u2019s stealth is remarkable \u2013 only 30 malicious requests were detected across three months despite compromising thousands of devices.<\/p>\n

Sift identified the suspicious activity using advanced machine learning techniques, including custom-built Large Language Models (LLMs)<\/a>, nearest neighbor search, and unsupervised clustering to detect payloads targeting ASUS RT-AC3100 and RT-AC3200 routers with factory configurations.\u00a0<\/p>\n

Four IP addresses have been identified as indicators of compromise:\u00a0<\/p>\n