Version 126: Over 9,000 Asus routers hijacked through a botnet and a stubborn SSH backdoor unremovable by firmware updates

BCAdmin1 Comment on Version 126: Over 9,000 Asus routers hijacked through a botnet and a stubborn SSH backdoor unremovable by firmware updates

Major Cybersecurity Breach: Over 9,000 Asus Routers Compromised by Persistent Botnet Attack

In a troubling development for network security, cybersecurity researchers have uncovered a severe breach affecting more than 9,000 Asus routers. The attack, identified as the handiwork of a sophisticated botnet named “AyySSHush,” was first reported by GreyNoise in March 2025.

This incident highlights significant vulnerabilities within router authentication processes. The botnet takes advantage of legitimate features built into the routers to create a persistent SSH backdoor, a breach that proves remarkably resilient against conventional protective measures.

One of the most alarming aspects of this attack is the method by which the backdoor has been implanted. It resides within the router’s non-volatile memory (NVRAM), which means it can withstand firmware updates and device reboots. As a result, attempts to secure the devices through a simple software update are ineffective, leaving users exposed to potential exploitation.

Network administrators and Asus router users alike must remain vigilant in the face of this security threat. Without effective remedies, many devices may continue to operate under the influence of this malicious software, highlighting the need for heightened awareness and advanced security measures in managing network devices.

This incident serves as a reminder of the critical importance of robust cybersecurity practices, particularly as more devices connect to the internet. It underscores the urgent necessity for users to regularly monitor and secure their networks against evolving threats.

Share this content:

Related Posts

One Comment

  1. Thank you for sharing this important security update. The persistence of the SSH backdoor residing in NVRAM indeed poses significant challenges for device remediation through firmware updates alone. In cases like this, it’s recommended to consider the following steps:

    • Perform a deep factory reset: Some vulnerabilities may persist even after firmware reinstallation. A thorough reset, following Asus’s official procedures, can help to wipe customized settings and some potential malicious configurations.
    • Use a specialized firmware restoration tool: Tools like Asus TFTP recovery mode or JTAG can facilitate low-level firmware re-flashing or recovery, which might help to overwrite the compromised memory sections.
    • Inspect and reconfigure network settings: Ensure that SSH access is disabled or restricted to trusted sources, and change default credentials to prevent further exploitation.
    • Consult with Asus support or security professionals: Given the sophistication of this attack, professional assistance or a hardware replacement might be necessary, especially if the device is confirmed to have the malicious backdoor permanently embedded.
    • Monitor network traffic: Regular monitoring can help detect unusual activity indicative of the botnet or malicious access.

    It’s crucial to stay updated with official security advisories from Asus and cybersecurity communities. Implementing layered security measures, such as network segmentation and strict access controls, will also enhance your defenses against persistent

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *