The big picture: Backdoors are typically designed to bypass traditional authentication methods and provide unauthorized remote access to vulnerable network appliances or endpoint devices. The most effective backdoors remain invisible to both end users and system administrators, making them especially attractive to threat actors engaged in covert cyber-espionage campaigns.
Analysts at GreyNoise have uncovered a mysterious backdoor-based campaign affecting more than 9,000 Asus routers. The unknown cybercriminals are exploiting security vulnerabilities – some of which have already been patched – while others have never been assigned proper tracking entries in the CVE database. The story is full of "unknowns," as the attackers have yet to take visible action with the sizeable botnet they have built.
The backdoor, now tracked as "ViciousTrap," was first identified by GreyNoise's proprietary AI system, Sift. The AI detected anomalous traffic in March, prompting researchers to investigate the new threat and notify government authorities by the end of the month. Now, just days after another security company disclosed the campaign, GreyNoise has published a blog post detailing ViciousTrap.
According to the researchers, thousands of Asus networking devices have already been compromised by this stealthy backdoor. The attackers first gain access by exploiting multiple security flaws and bypassing authentication through brute-force login attempts. They then leverage another vulnerability (CVE-2023-39780) to execute commands on the router, abusing a legitimate Asus feature to enable SSH access on a specific TCP/IP port and inject a public encryption key.
The threat actors can then use their private key to remotely access the compromised routers. The backdoor is stored in the device's NVRAM and can persist even after a reboot or firmware update. According to GreyNoise, the backdoor is essentially invisible, with logging disabled to further evade detection.
The ViciousTrap campaign is slowly expanding, but the attackers have yet to reveal their intentions through specific actions or attacks. Asus has already patched the exploited vulnerabilities in recent firmware updates. However, any existing backdoor will remain functional unless an administrator has manually reviewed and disabled SSH access.
To remediate the issue, administrators should remove the public key used for unauthorized SSH access and reset any custom TCP/IP port configurations. Once these steps are taken, affected Asus routers should return to their original, uncompromised state.
GreyNoise also advises network administrators to monitor traffic for connections from the following suspicious IP addresses:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
Finally, the researchers warn routers owners to always install the latest firmware updates. "If compromise is suspected, perform a full factory reset and reconfigure manually," they said.