Viciustra Backdoor Campaign Targets Thousands of ASUS Routers
Table of Contents
Cybercriminals are exploiting vulnerabilities in ASUS routers to build a stealthy botnet, but their motives remain unclear.
A newly discovered cyberattack campaign, dubbed “Viciustra,” has compromised over 9,000 ASUS routers by exploiting a combination of known and previously undisclosed security flaws. The attackers’ ultimate goals are currently unknown, adding to the mystery surrounding this large-scale operation.
The “Viciustra” backdoor was initially detected by an AI-driven threat detection system in March, prompting an investigation and subsequent notification of government authorities. The backdoor allows unauthorized remote access to the compromised devices, bypassing customary authentication methods.
According to researchers, the attackers gain initial access through brute-force attempts and the exploitation of multiple security vulnerabilities. They then leverage CVE-2023-39780, a known vulnerability, to execute commands on the router. This involves abusing a legitimate ASUS feature to enable SSH access on a specific port and inject a public encryption key.
Stealthy Operation
“If a compromise is suspected,make a complete factory reset and reconfigure.”
Once the public key is injected,the attackers can remotely access the compromised routers using their corresponding private key. The backdoor is designed to be persistent, surviving reboots and even firmware updates.Security analysts describe the “Viciustra” backdoor as virtually invisible, making detection and removal challenging.
While the “Viciustra” campaign is widespread, the attackers have not yet initiated any visible malicious activities. ASUS has released firmware updates to address the exploited vulnerabilities. However, existing backdoors will remain active unless administrators manually disable unauthorized SSH access and remove the injected public key.
Administrators are advised to remove any unauthorized public keys, reset TCP/IP port configurations, and ensure their ASUS routers are running the latest firmware. In cases of suspected compromise, a full factory reset and reconfiguration is recommended.
Network administrators should also monitor network traffic for connections originating from the following suspicious IP addresses:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
Frequently asked Questions
What is a backdoor in the context of network security?
A backdoor is a hidden method of bypassing normal security measures to gain unauthorized access to a computer system or network. It allows attackers to circumvent authentication and encryption protocols.
How can I protect my ASUS router from being compromised?
To protect your ASUS router, ensure you have the latest firmware updates installed, change the default password, disable remote access if not needed, and monitor network traffic for suspicious activity.Regularly check for security advisories from ASUS.
What should I do if I suspect my router has been compromised?
If you suspect your router has been compromised,perform a factory reset,update the firmware,change all passwords,and monitor network activity for any unusual behavior. Contact ASUS support or a cybersecurity professional for assistance.
