ASUS has officially responded to news about a botnet that has infected thousands of its routers. The company emphasizes that existing vulnerabilities can be fixed, but acknowledges that a firmware update alone is not sufficient if infected.
The company has issued a detailed response about the so-called AyySSHush malware. The software in question is a particularly persistent specimen: it survives not only reboots but also firmware updates.
Vulnerability from 2023
The problem revolves around CVE-2023-39780, a vulnerability that was already disclosed in 2023. According to ASUS, devices with the latest firmware and a strong administrator password can prevent future exploitation of this vulnerability. The company recommends passwords of at least 10 characters with a mix of uppercase letters, lowercase letters, numbers, and symbols.
For devices that may have been compromised, ASUS proposes a three-step plan. First, the firmware must be updated to the latest version. Next, a factory reset is required to delete unauthorized settings. Finally, a strong administrator password must be set.
End-of-Life devices
ASUS also offers a solution for outdated routers that no longer receive firmware updates. Users should install the latest available firmware and set a strong password. In addition, all remote access functions should be disabled, such as SSH, DDNS, AiCloud, and Web Access from WAN.
The company suggests that users check for suspicious activity themselves. Specifically, users should check that SSH (especially TCP port 53282) is not exposed to the internet. Users can also check the System Log for repeated login failures or strange SSH keys.
Persistent malware
As mentioned, the AyySSHush malware exploits a known vulnerability in ASUS routers and weak passwords for initial access. Only a combination of both allows attackers to succeed. Once inside, it bypasses Trend Micro’s built-in AiProtection security and stubbornly remains on the router.
Researchers at Greynoise (who coined the name AyySSHush) discovered that the malware changes settings to enable permanent SSH access, hence the name. This change is stored in non-volatile memory (NVRAM), which means it remains active even after firmware updates and reboots. Therefore, a regular update is not sufficient and a full factory reset is necessary.
The number of infected routers has dropped from a peak of 12,000 to around 8,500 devices, according to recent counts. ASUS has released firmware updates and security recommendations for supported models and advises users to contact customer service for further assistance.