Exploited ASUS Router Users Warned: Hacked Devices Require Factory Reset
GreyNoise has exposed the AyySSHush botnet infecting over 9,000 ASUS routers, urging owners to factory reset devices as firmware updates alone won’t remove the hidden backdoor.
Summary
- Over 9,000 ASUS routers compromised by the AyySSHush botnet, according to GreyNoise and Censys data.
- Hackers use brute-force attacks and known bugs to install persistent SSH backdoors.
- Firmware updates won’t remove the backdoor; only a factory reset can secure affected devices.
How the ASUS Routers Were Exploited?
The AyySSHush botnet targets ASUS routers like the RT-AC3100, RT-AC3200, and RT-AX55 by combining brute-force login attempts with old authentication bypass vulnerabilities and a 2023 command-injection flaw (CVE-2023-39780).
Once inside, attackers enable SSH access, implant a secret public key, and disable logging, creating a persistent, hard-to-detect backdoor that survives firmware updates and reboots.
What Should ASUS Router Users Do?
ASUS has released firmware patches to close the exploited bugs, but if you suspect your router is compromised, you must factory reset the device. After the reset, update the firmware, set a strong, unique password, and review security settings to ensure remote access is disabled if not needed.
Staying vigilant is key, as advanced, well-resourced attackers are behind this campaign.
Why Firmware Updates Aren’t Enough
GreyNoise warns that simply updating firmware won’t remove the backdoor because attackers use legitimate router configuration features stored in non-volatile memory (NVRAM).
This means the only effective way to reclaim your device is by performing a full factory reset and setting up a new, strong admin password afterward.
Pros
- GreyNoise has identified and publicized the threat for user awareness.
- Firmware patches are available to prevent new infections.
- Factory resets can fully remove the persistent SSH backdoor.
Cons
- Factory resets are disruptive and time-consuming for users.
- Without user action, compromised routers remain exposed to attackers.
- The attack leaves no malware trace, making detection difficult.
Conclusion
The AyySSHush botnet poses a serious security risk to ASUS router owners. Even though ASUS has patched the underlying bugs, the only way to fully secure previously compromised routers is through a factory reset. Users should act swiftly to protect their networks and monitor their devices for suspicious activity going forward.
FAQs
Q: Which ASUS router models are affected?
A: Known affected models include RT-AC3100, RT-AC3200, and RT-AX55, though others may also be vulnerable.
Q: Will a firmware update remove the backdoor?
A: No, the backdoor persists across updates. A factory reset is required to fully remove it.
Q: How can I secure my ASUS router after a reset?
A: Update to the latest firmware, set a strong admin password, and disable unused remote access features.
