TZUTC: -0500   
   MSGID: 1162.consprcy@1:2320/105 2c9efad7   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Thousands of Asus routers hacked to create a major botnet planting damaging   
   malware   
      
   Date:   
   Thu, 29 May 2025 13:27:00 +0000   
      
   Description:   
   Hackers are brute-forcing older Asus routers and establishing persistent   
   access.   
      
   FULL STORY   
      
   Thousands of ASUS routers were compromised and turned into a malicious botnet   
   after hackers uncovered a troubling security vulnerability, experts have   
   warned.    
      
   This appears to be part of a stealth operation to assemble a distributed   
   network of backdoor devices  potentially laying the groundwork for a future   
   botnet, noted cybersecurity researchers GreyNoise, who first spotted the   
   attacks in mid-March 2025.    
      
   Using Sift (GreyNoises network payload analysis tool) and a fully emulated   
   ASUS router profile running in the GreyNoise Global Observation Grid, the   
   researchers determined that the threat actors were first breaching routers   
   with brute force and authentication bypassing.   
      
   Advanced operations    
      
   These poorly configured routers were easy pickings for the attackers, who    
   then proceeded to exploit a command injection flaw to run system commands.    
      
   This flaw is tracked as CVE-2023-39780 and carries a severity score of 8.8/10   
   (high).    
      
   The vulnerability was first published in the National Vulnerability Database   
   (NVD) on September 11, 2023, and since then ASUS released firmware updates to   
   address it.    
      
   The tactics used in this campaign  stealthy initial access, use of built-in   
   system features for persistence, and careful avoidance of detection  are   
   consistent with those seen in advanced, long-term operations, including   
   activity associated with advanced persistent threat (APT) actors and   
   operational relay box (ORB) networks, GreyNoise further explains.    
      
   While GreyNoise has made no attribution, the level of tradecraft suggests a   
   well-resourced and highly capable adversary.    
      
   The attackers use the ability to run system commands, to install a backdoor   
   thats stored in non-volatile memory (NVRAM).    
      
   This means the access they establish survives both reboots and firmware   
   updates. The attackers can maintain long-term access without dropping   
   stage-two malware , or leaving other obvious traces.    
      
   We dont know exactly how many devices are compromised, other than that there   
   are thousands, with the number steadily increasing.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/thousands-of-asus-routers-hacked-to-cre   
   ate-a-major-botnet-planting-damaging-malware   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426