If you’re one of thousands of people using an Asus router, bad news. Analysts at GreyNoise found a mysterious backdoor, named as “ViciousTrap”, that is currently affecting thousands of the brand’s routers.

ViciousTrap was first identified back in March of this year by GreyNoise’s proprietary AI system, Sift. According to the analyst group, the attackers compromising the routers first gained access to ASUS’ routers by exploiting multiple security flaws and bypassing authentication through the tried and true brute-force login attempts.

The attackers then leveraged another vulnerability in the routers, CVE-2023-39780, executing commands and abusing a legitimate Asus feature that then allowed them to inject a public encryption key.

The problems here are multi-faceted: First, the backdoor is practically invisible, with the attackers disabling logging in order to evade further detection. Second, ViciousTrap is slowly expanding to more routers, the intent and goal of the attackers are still not known.

One current solution put forward by GreyNoise is for administrators to remove the public key used for unauthorised SSH access, and then reset any custom TCP/IP port configurations. Upon doing this, the affected Asus routers should return to their default state. Additionally, it is advising network administrators to monitor traffic from the following IPs: 101.99.91.151; 101.99.94.173; 79.141.163.179; 111.90.146.237.

(Source: GreyNoise, Techspot, Hot Hardware)

The post Thousands Of Asus Routers Reportedly Affected By “ViciousTrap” Backdoor appeared first on Lowyat.NET.