- Greynoise finds a new piracy campaign aimed at Hardware Asus
- Threat actors are exploiting poorly insured routers to obtain initial access
- They abuse known defects to establish persistent access and create a botnet
Thousands of Escar routers were committed and became a malicious botnet after the computer pirates discovered a worrying security vulnerability, experts warned.
“This seems to be part of a stealthy operation to assemble a distributed network of rear door devices, potentially lay the foundations for a future boat,” said cyber security researchers Graynoise, who first saw the attacks in mid -March 2025.
Using SIFT (Greynoise Network Analysis tool) and a completely emulated ASUS routing profile that is executed in the Greynoise global observation network, the researchers determined that the threat actors were first violating the routors with gross force and the omission of the authentication.
Advanced operations
These poorly configured routers were easy selections for the attackers, who then proceeded to exploit a command injection failure to execute system commands.
This defect is tracked as CVE-2023-39780 and has a gravity score of 8.8/10 (high).
Vulnerability was first published in the National Vulnerability Database (NVD) on September 11, 2023, and since then ASUS launched firmware updates to address it.
“The tactics used in this campaign (initial stealthy access, use of incorporated characteristics of the system for the persistence and careful avoidance of detection) are consistent with those observed in advanced operations and long term, including the activity associated with advanced persistent threat actors (APT) and operational relay networks (ORB)”, explains more to Greynoise.
“While Greynoise has not made an attribution, the Tradecraft level suggests an adversary well covered and highly capable.”
The attackers use the ability to run system commands, to install a rear door stored in non -volatile memory (NVRAM).
This means that the access they establish survives both the reset and the firmware updates. Attackers can maintain long -term access without dropping malware in the stage and leaving other obvious traces.
We do not know exactly how many devices are committed, apart from that, there are “thousands”, with the number “increasing constantly.”
