Conversation

Notices

1. Embed this notice
   hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 (hrbrmstr@mastodon.social)'s status on Thursday, 29-May-2025 00:44:18 JST hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈

   🚨 BREAKING: GreyNoise discovered a sophisticated backdoor campaign compromising ~9,000 ASUS routers worldwide. Unlike typical malware attacks, this operation uses the router's own legitimate features to create persistent backdoors that survive firmware updates and reboots.
   1/4

   • Embed this notice
     hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 (hrbrmstr@mastodon.social)'s status on Thursday, 29-May-2025 00:44:27 JST hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈

     in reply to

     The tradecraft suggests an advanced, well-resourced adversary.

     What makes this scary: Attackers chain authentication bypasses + CVE-2023-39780 to gain access, then enable SSH on port 53282 with their own public key.
     2/4

   • Embed this notice
     hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 (hrbrmstr@mastodon.social)'s status on Thursday, 29-May-2025 00:44:27 JST hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈

     in reply to

     Because it's configured through official ASUS settings, the backdoor persists in NVRAM even after patching. No malware dropped, logging disabled = nearly invisible.

     This was caught by GreyNoise's AI tool ("Sift") analyzing just 3 HTTP requests out of 23+ billion.
     3/4

     Steve's Place repeated this.
   • Embed this notice
     hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈 (hrbrmstr@mastodon.social)'s status on Thursday, 29-May-2025 00:44:27 JST hrbrmstr 🇺🇦 🇬🇱 🇨🇦 🏳️‍🌈

     in reply to

     Without full PCAP + emulated router profiles, this would've stayed hidden. Check your ASUS routers for SSH on TCP/53282 NOW.

     Technical deep-dive: https://www.labs.greynoise.io//grimoire/2025-03-24-ayysshush/

     📊 Executive summary: https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
     4/4