Malware damaging ASUS routers?

[Ripshod]

What's with all these knee jerk reactions? Reverting back to asus firmware where simply not using the asus extras keeps you safe. I do understand those that have had the recent releases, but the RT-AX86U is still waiting for a fix making reverting to an old asus firmware totally pointless. Read the thread peeps, the best advice is in here.

 

[DJones]

What's with all these knee jerk reactions? Reverting back to asus firmware where simply not using the asus extras keeps you safe. I do understand those that have had the recent releases, but the RT-AX86U is still waiting for a fix making reverting to an old asus firmware totally pointless. Read the thread peeps, the best advice is in here.

Certainly reverting to earlier firmware makes no sense unless it was a bug that didn’t exist in earlier versions. Reverting isn’t going to make it safer.

I think the knee jerk response is we know very little about the vulnerability no CVE to identify what the security vulnerability and malware is doing. We’re only guessing based on the information we’ve collected from reports and the vague information ASUS has provided in their new updates.

Well I understand ASUS likely isn’t fully prepared to release that information because there exists routers without updates still and updates are dependent on users taking the initiative and being informed to update.

For those of us that know of the situation it’s alarming because we’re not seeing or being told the whole picture.

To recap however disabling AICloud, and possible vulnerable features like AIDisk, ASUS DDNS, Download Manager, Remote WAN Access to the web UI Interface, weaker VPN protocols, UPnP, Port Forwarding (unless absolutely necessary), Also Don’t allow SAMBA or SSH directly over WAN, and not manually or from repo install sketchy entware or entware that hasn’t been updated in some time.

Minimizing your surface area of attack will help prevent you from getting this malware.

 

[DJones]

I wonder if there is a way to install Wazuh XDR & SEIM agent on one of these routers. Would be a whole lot better to be able to collect logs and have it inform you of every change and file deletion and malware detected. Can also inform you of possible CVE’s and possible foreign government agencies possibly connected to attacks.

I can see this as being a very powerful tool. Only the agent would need to be installed not the full service. Would require the full service on another Linux computer or docker.

Wazuh - Open Source XDR. Open Source SIEM.

Wazuh is a free and open source security platform that unifies XDR and SIEM protection for endpoints and cloud workloads.

wazuh.com

 

[jksmurf]

To recap however disabling AICloud, and possible vulnerable features like AIDisk, ASUS DDNS...

Whilst disabling ASUS DDNS can’t hurt, I asked a question earlier in the thread about which AICloud services should be disabled and whether Asus DDNS was one of them; here is Tech9's response.

 

[smartbits]

To recap however disabling AICloud, and possible vulnerable features like AIDisk, ASUS DDNS, Download Manager, Remote WAN Access to the web UI Interface, weaker VPN protocols, UPnP, Port Forwarding (unless absolutely necessary), Also Don’t allow SAMBA or SSH directly over WAN, and not manually or from repo installing sketchy entware or entware that hasn’t been updated in some time.

Minimizing your surface area of attack will help prevent you from getting this malware.

Has it been confirmed that enabling UPnP & port forwarding can result in being exposed to this malware?

 

[ColinTaylor]

Has it been confirmed that enabling UPnP & port forwarding can result in being exposed to this malware?

No it is unrelated to this particular malware.

 

[iFrogMac]

I use UPNP to take advantage of a feature in Transmission that can randomize the port each time, so it never uses the same port more than once. I would think, if UPNP was at risk, I might have already been compromised.

 

[Tech9]

This Transmission may transmit a lot of trouble to you with or without UPnP. You may take advantage of a few issues at once.

 

[iFrogMac]

This Transmission may transmit a lot of trouble to you with or without UPnP. You may take advantage of a few issues at once.

I don't typically use it all that much, only if I want to test out a Linux iso torrent. Most of the time I just use the direct download, but sometimes a good torrent can be faster. It just depends.

 

[Tech9]

only if I want to test out a Linux iso torrent

Sure.

 

[iFrogMac]

Well, in terms of UPNP, Gibson research has a tool that's part of ShieldsUp that tests UPNP to see if it is using a variant that's known to be harmful. On Asus and TP-Link routers the test always comes back stealth for me. So, that suggest that I'm OK, and just need to be aware of what software I'm running. I also know that because I prefer Unix based Operating systems to Windows, that while there are threats available, it's still typically safer. This said from about 20+ years of the same usage habits without any real issues. Also keeping an eye on security risks related to those habits .

It's also my understanding that the built in Samba on these routers is version 1 and that's less secure than 2, or 3. I do use SMB sharing on the Mac for local streaming only (LAN) and it's version 3. The only public facing feature I have enabled on the router, is UPNP. Nothing else.

 

[DJones]

UPnP has the same problems as it always has. Their is plenty of articles online detailing it’s issues. “Secure Mode On = a UPnP client can only add port mappings to its own IP address“ is a better security addition, but doesn’t change that clients are still at risk using it. I’m not a security researcher so I’m not going to say it’s a guarantee using it will cause you a problem it just increases your attack surface.

The suggestions I gave are general. DDNS isn’t a good/bad thing. However it does provide a static domain address that can be utilized to target your router no matter what your ip address changes to.

Be a targeted attack, this malware or any other. It’s better to be on the side of caution rather than convenience. If you take precautions your chances of having a bad case of virtual STD’s is less. Utilizing a VPN server tunnel and using something like samba that way is better than these convenience services that throw security to the wind.

Even a VPN server doesn’t “need” DDNS it’s just convenient if you do. You just need a method of learning what your current WAN ip address is. If you run a plex server the dashboard will tell you what your WAN address is when your remote. And there is other third party tools that can do the same. Then just manually adjust your vpn clients endpoint address and connect. This is more obscure than simply using DDNS and security depends on the tool or third party service you use. It may also not be practical if you host services over WAN for others. So take it with consideration and it’s at your discretion what you do with your network.

 

[Paliv]

UPnP is as safe as the devices on your LAN using it. Securing the devices using outbound connections is outside of the scope of UPnP itself. The continued UPnP FUD is ridiculous. If you have clients abusing UPnP you probably have bigger problems.

 

[DJones]

UPnP is as safe as the devices on your LAN using it. Securing the devices using outbound connections is outside of the scope of UPnP itself. The continued UPnP FUD is ridiculous. If you have clients abusing UPnP you probably have bigger problems.

I don’t disagree. And yes there is a lot of FUD when it comes to it. But that’s generally because of user habits causing those bigger problems. The UPnP protocol itself isn’t unsafe it’s things on client systems that abuse it. A clean system won’t abuse UPnP. But if a user is frequently downloading pirated software/media torrents the risk of malware attacks increases considerably and thus UPnP can be abused.

The FUD just comes as a consequence of normal human behaviour.

 

[DJones]

I really wish I could give people the benefit of the doubt they won’t screw their systems up with downloading sketchy stuff or visiting a website that attacks their browser in some way.

But I do know better. Intentionally or not people are dumb. Work as tech support and you’ll have many stories to tell. Well I mean to criticize normal human intellect and behaviour I consider myself to be among the “dumb”. Since we are not born with knowledge, but rather acquire it we are not infallible.

 

[giosita]

In my opinion, it’s probably not only the AICloud services but also the Asus DDNS service that is affected.

Infact, the Asus DDNS service was also vulnerable because the process for updating records did not have specific security safeguards.

A simple request with potentially “valid” data -such as the MAC address of another Asus device, which can be easily found through basic web searches- was enough to modify a record.

In this scenario, a malicious actor could redirect the DDNS record to their own server: this would then capture any unencrypted access credentials (which are not encrypted but merely encoded in Base64) sent by the ASUS Router app, giving them direct access to the device.

This risk, however, only applies *if* web access from the WAN is enabled and the Asus DDNS service is in use.

Details of this vulnerability on the Black Hat Briefing here which includes slides that explain the exploitation process in detail.

At this point, it’s still unclear whether Asus has fixed this flaw (i.e., the lack of proper verification when updating records).

Personally, I am switching to a more secure DDNS provider as a precaution.

 

[iFrogMac]

UPnP has the same problems as it always has. Their is plenty of articles online detailing it’s issues. “Secure Mode On = a UPnP client can only add port mappings to its own IP address“ is a better security addition, but doesn’t change that clients are still at risk using it. I’m not a security researcher so I’m not going to say it’s a guarantee using it will cause you a problem it just increases your attack surface.

The suggestions I gave are general. DDNS isn’t a good/bad thing. However it does provide a static domain address that can be utilized to target your router no matter what your ip address changes to.

Be a targeted attack, this malware or any other. It’s better to be on the side of caution rather than convenience. If you take precautions your chances of having a bad case of virtual STD’s is less. Utilizing a VPN server tunnel and using something like samba that way is better than these convenience services that throw security to the wind.

Even a VPN server doesn’t “need” DDNS it’s just convenient if you do. You just need a method of learning what your current WAN ip address is. If you run a plex server the dashboard will tell you what your WAN address is when your remote. And there is other third party tools that can do the same. Then just manually adjust your vpn clients endpoint address and connect. This is more obscure than simply using DDNS and security depends on the tool or third party service you use. It may also not be practical if you host services over WAN for others. So take it with consideration and it’s at your discretion what you do with your network.

I agree with what you have said here. When I typically want to use a feature, or setting I'll research it first according to my setup, if I don't already have experience with it. In fact Steve would say the same thing turn of features not used, or if you need, or want to use something, do it in the most secure way possible. The other thing I've done is I've also bought a new Router with newer firmware. I only put the RT-AX86U back into use was out of interest for this thread. In terms of UPNP, I did read articles when I had questions and I felt like in some cases it was a copy and paste of a lot of the same info between sites. I also know, that being the Internet, there is also a lot of wrong info posted, or people responding out of fear because they were given wrong info, or they lack the understanding of the situation they should have.

That's why when I need info, I try to find reputable sources only, such as Gibson research, or others that are proven to give correct info that can be backed up with facts vs just someone's opinion, or speculation.
I mainly came here after Apple dropped their Airport line of products and I had to find something new, and had a lot of catching up to do on features and technologies used.

I did get my A+ certification back in 2005, and I've also had some networking training as well. The problem is, things change so fast, and I haven't kept up. So now, I just try to keep my info updated based on my current needs / use.

 

[Tech9]

I've also bought a new Router with newer firmware.

The UPnP version on this one is guaranteed much older than currently available version.

I try to find reputable sources only, such as Gibson research

Mostly outdated information, this site was popular when people were using Netscape to search with Altavista.

 

[iFrogMac]

The UPnP version on this one is guaranteed much older than currently available version.



Mostly outdated information, this site was popular when people were using Netscape to search with Altavista.

I don't even remember how I found this site, I remember AltaVista, and then I started using Google. I still prefer IRC to forums, and my original messengers were AIM, and ICQ. Occasionally MSN. Now I use Facebook Messenger, Telegram, and iMessage. For IRC, when I started I did Undernet, Chatnet, and DALnet as the main three. Today, I still have a connection set to DALnet, but mostly use LibreaChat which forked from Freenode. So, there is some of my history online and what I'm familiar with. The username I used on here is a combination of iFrog and MacinMan, I was going to just use iFrog but I don't think it let me for some reason.

In terms of the UPNP what is the statement "this router" referring to? Asus Routers in general, or the RT-AX86U as it has older firmware from other routers now.

 

[Tech9]

In terms of the UPNP what is the statement "this router" referring to?

Referring to exactly what I quoted from your post. And what you use now or used in the past is totally unrelated to this conversation. My point was your Steve is far from today’s reality.