Researchers from the cybersecurity firm GreyNoise reported this week that an ongoing exploitation campaign is targeting over 9,000 internet-exposed ASUS routers. Cybercriminals gained long-term access by exploiting an undisclosed vulnerability. Experts suggest that attackers were planning on building a robot network (botnet).

According to GreyNoise’s report, the attackers carried out a stealthy and sophisticated operation by using brute-force login attempts and exploiting the CVE-2023-39780 vulnerability — a command injection flaw — to execute system commands on vulnerable devices. The unknown actors enabled SSH access on TCP port 53282 and implanted a backdoor in non-volatile memory (NVRAM), allowing them to maintain remote access even after the device reboots or firmware upgrades.

GreyNoise noticed the unusual, low-profile network activity through their AI-powered analysis tool, Sift, in March and reported it. The researchers confirmed that no malware had been installed, but the operation suggested that the attackers were building a system for a future attack.

This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet,” states the report.

ASUS patched the vulnerability through its latest firmware update, but it didn’t remove the SSH configuration enabled by the attackers. GreyNoise recommends ASUS router owners check for access on TCP/53282, review unauthorized entries, block the IP addresses listed on the report, and, if the device has been compromised, perform a factory reset and manually reconfigure the router.

As of May 27, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys,” wrote GreyNoise. “GreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating.

Over a year ago, it was revealed that the Russian hacking group APT28 had been exploiting a vulnerability on Cisco routers for six years and managed to deploy malware and spy on users and organizations in Europe and the United States.