AyySSHush campaign targeting thousands of routers confirmed.
Thousands of routers worldwide have been targeted by a sophisticated campaign that leverages a two-year-old vulnerability, authentication flaws, and brute-force attacks. The researchers who uncovered the AyySSHush attacks have suggested it is likely the work of a nation-state threat actor. Here’s what you need to know.
What We Know About The AyySSHush Router Attacks
The as-of-yet unidentified threat actors behind the AyySSHush campaign have targeted routers from major manufacturers, with at least 9,000 ASUS router models known to have already been compromised, using a stealthy and persistent backdoor that can survive firmware updates and reboots.
State-sponsored hacker groups are known to have been behind everything from Windows password-stealing attacks, targeting presidential political campaigns, and even ransomware attacks against predominantly Western targets. Espionage, however, is one of the primary drivers of these hackers working in tandem with government resources. And what better way to get a data eavesdropping foothold than to compromise a router?
Researchers at GreyNoise have reported that just such a sophisticated compromise campaign, that is said to be consistent with such advanced persistent threat actors, although it cannot attribute it to a specific group at this point in time, “the level of tradecraft suggests a well-resourced and highly capable adversary,” the report stated.
Although the GreyNoise research has confirmed that at least 9,000 ASUS routers have been compromised to date, and the number is increasing all the time, it has been reported that other routers from other major vendors such as Cisco, D-Link, and Linksys have also been targeted by AyySSHush.
The researchers explained that attackers gain initial access through brute-force login attempts, along with authentication bypass techniques that exploit known vulnerabilities that owners have yet to patch. They then insert a public key that is under their control for remote access. While no malware is installed, the backdoor itself “is stored in non-volatile memory and is therefore not removed during firmware upgrades or reboots,” GreyNoise warned.
I have reached out to ASUS for a statement.
What Security Experts Say About The Router Attacks
“Even something as mundane as a router becomes a strategic asset once it gains long-term identity in a threat actor’s infrastructure,” Wade Ellery, field chief technology officer at Radiant Logic, said. Which is why, at the organizational level at least, real-time identity-aware telemetry across all assets, including those routers, is essential.
Debbie Gordon, CEO at Cloud Range, meanwhile, wanted that the campaign highlighted a dangerous shift in attacker strategy from quick hits to long-haul persistence. “AyySSHush’s ability to survive factory resets and firmware updates is a wake-up call,” Gordon said, “edge devices like routers are no longer low-value targets.” With both SoHo and consumer routers targeted by this latest attack, routers can no longer be treated as set-and-forget devices.
