Malware damaging ASUS routers?

[Tech9]

Done. Change your router's MAC address, it will change your WAN IP. May not work with all ISPs.

 

[Rajjco]

Judging by Skynets top targeted ports the vulnerability doesn't seem to be a widely spread issue. AiCloud opens port 8082 which doesn't even appear in the list.

Personally I wouldn't use AiCloud or Open any port to the internet.
If you wish to have access to your files over the Internet always use a vpn we already have access to some solid mods for Asus routers which achieve that such as Tailmon.

 

[Ripshod]

Judging by Skynets top targeted ports the vulnerability doesn't seem to be a widely spread issue. AiCloud opens port 8082 which doesn't even appear in the list.

Personally I wouldn't use AiCloud or Open any port to the internet.
If you wish to have access to your files over the Internet always use a vpn we already have access to some solid mods for Asus routers which achieve that such as Tailmon.


View attachment 62280

Have you been through the whole list and not just the top10? 8082 does get probed just like any other port.

 

[Rajjco]

Have you been through the whole list and not just the top10? 8082 does get probed just like any other port.

Did some digging with ssh and and here are the results:

Port 8082 First Tracked On Oct 31 19:36:13
Port 8082 Last Tracked On Nov 5 16:28:23
75 Attempts Total
63 Unique IPs

Not trying to undermine the issue but based on the results 75 hits is nothing compared to what other routers are getting such as routers running on MikroTik OS which got around 1.2k hits.

There are other services that also run on port 8082 so it's hard to pinpoint the true intent of the hits.

Port 8082 (tcp/udp)

Port 8082 tcp/udp information, assignments, application use and known security risks.

www.speedguide.net

 

[Ripshod]

Did some digging with ssh and and here are the results:

Port 8082 First Tracked On Oct 31 19:36:13
Port 8082 Last Tracked On Nov 5 16:28:23
75 Attempts Total
63 Unique IPs

Not trying to undermine the issue but based on the results 75 hits is nothing compared to what other routers are getting such as routers running on MikroTik OS which got around 1.2k hits.

There are other services that also run on port 8082 so it's hard to pinpoint the true intent of the hits.

Port 8082 (tcp/udp)

Port 8082 tcp/udp information, assignments, application use and known security risks.

www.speedguide.net

Yeah, but if those 75 events are targeted directly at AICloud? As things stand it only takes 1 to be successful.
The good thing is skynet caught those 75. Would the default firewall catch them?
When AiCloud is active the firewall ignores port 8082 and let's the traffic through. A great place to be if you want to exercise some malice.

 

[Rajjco]

Yeah, but if those 75 events are targeted directly at AICloud? As things stand it only takes 1 to be successful.
The good thing is skynet caught those 75. Would the default firewall catch them?

Yep there needs to be some kind of 2FA solution for AiCloud.

No idea how the default firewall behaves I guess It just drops everything which isn't port forwarded.

 

[bennor]

Asus put up a new notice (11/4/2024) on their Product Security Advisory page that includes disabling a number of remote access features including AiCloud and AiDisk for certain routers, for other routers they list updated firmware (see following link for router list and links to their firmware):

ASUS Product Security Advisory | ASUS Global

www.asus.com

11/04/2024 New firmware Update for Enhanced security ∇
ASUS has released several firmware updates to enhance security These firmware improvements include the following:

1. Optimized memory management mechanisms, improving system efficiency and stability.
2. Strengthened input validation and data processing workflows, further protecting your information security.
3. Improved web rendering engine, enhancing browsing experience and security.
4. Enhanced security of system command processing to guard against potential malicious operations.
5. Perfected JavaScript-related security mechanisms, offering a more secure web interaction environment.

We recommend regularly checking your equipment and security measures for enhanced safety.
• Update your router with the newest firmware. We encourage you to do this when new firmware becomes available. You can find the newest firmware on the ASUS support page at https://www.asus.com/support/ or the relevant product page at https://www.asus.com/Networking/. ASUS has provided a link to new firmware for some routers at the end of this notice.
• Use different passwords for your wireless network and router-administration page. Use passwords that have at least 10 characters, with a mix of capital letters, numbers and symbols. Do not use the same password for more than one device or service.
Please ensure that your login and WiFi passwords are secure if you cannot upgrade the firmware promptly.
For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292
Please update the firmware for the models listed to the version specified in the table.

<snip huge list of routers - see above Product Security URL for full list of routers>

If your router is listed below, follow these steps to secure it:
•Disable remote access services such as WAN access, AiDisk, AiCloud, FTP, Download Master, VPN, Port Forwarding.
Applicable Routers: Blue Cave, RT-AC1200, RT-AC1200HP, RT-AC1300GPLUS, RT-AC1300UHP, RT-AC1750, RT-AC3200, RT-AC51U, RT-AC51UPLUS, RT-AC52U, RT-AC52U_B1, RT-AC54U, RT-AC55U, RT-AC55UHP, RT-AC56R, RT-AC56U, RT-AC58U, RT-AC66R, RT-AC66U, RT-AC66W, RT-AC750, RT-AC85U, RT-AC87R, RT-AC87U, RT-ACRH13, RT-N14U, RT-N14UHP, RT-N16, RT-N18U, Lyra, Lyra mini, Lyra voice.

For those who don't want to read the full quoted language here is the routers they suggest one disable remote access services such as WAN access, AiDisk, AiCloud, FTP, Download Master, VPN, Port Forwarding:
Applicable Routers: Blue Cave, RT-AC1200, RT-AC1200HP, RT-AC1300GPLUS, RT-AC1300UHP, RT-AC1750, RT-AC3200, RT-AC51U, RT-AC51UPLUS, RT-AC52U, RT-AC52U_B1, RT-AC54U, RT-AC55U, RT-AC55UHP, RT-AC56R, RT-AC56U, RT-AC58U, RT-AC66R, RT-AC66U, RT-AC66W, RT-AC750, RT-AC85U, RT-AC87R, RT-AC87U, RT-ACRH13, RT-N14U, RT-N14UHP, RT-N16, RT-N18U, Lyra, Lyra mini, Lyra voice.

 

[Ripshod]

RT-AX88U needs to be on that list too.

 

[Paliv]

The list is referring to ASUS routers that do not have the firmware updates listed above in the security advisory. The AX models have these updates.

 

[Ripshod]

The list is referring to ASUS routers that do not have the firmware updates listed above in the security advisory. The AX models have these updates.

There are no updates for AX routers. AX routers are getting infected, and my RT-AX88U hasn't had an official firmware update since March.

 

[Paliv]

They don't have these updates. AX routers are getting infected, and my RT-AX88U hasn't had an official firmware update since March.

I see what you are saying, I thought I had seen all the current models on the list. Good point, they are not updated.

 

[giosita]

The most impacted models are neither on the list of those that received an update nor on the list of those for which it’s recommended to disable all potentially risky services.

So, there are two possible scenarios here:

1. They’re actively working on a specific fix that hasn’t yet been released;
2. They’re simply ignoring these particular models, either because they haven’t found a solution or they attempted one and failed.

I’ll give it a few more days, as I still have a bit of faith in the process.

Meanwhile, my RT-AX86U remains offline.

 

[Tech9]

Asus put up a new notice (11/4/2024) on their Product Security Advisory

No word about what we discuss here, unfortunately. If still no solution is found at least some kind of warning would be nice. I understand destructive hacking may be seen as opportunity to sell more devices, but the silence may push the customers to other brands.

 

[Ripshod]

Meanwhile, my RT-AX86U remains offline.

No need really. Just don't enable AiCloud or any of the other "features" mentioned in this thread.
In an ideal world option #1 would be the truth.

 

[giosita]

No need really. Just don't enable AiCloud or any of the other "features" mentioned in this thread.
In an ideal world option #1 would be the truth.

Sure, I could. But the point is that maybe I chose that model precisely for those features. And even if I didn't need them, it's still a matter of principle and fairness - even if it were just admitting, 'Hey, we can't guarantee the safety of those models, we're sorry about that.'"

 

[giosita]

-just for a laugh- Anyway, this really makes me think about those lousy models, with embarrassing performance and stripped-down features, that providers usually offer. Now I get it. They’re the perfect example of ‘what’s not there, can’t break.’

 

[Tech9]

what’s not there, can’t break

This is correct. You get a basic router for $50 and there is nothing much to break or hack on it. ISP provided gateways are all locked down tight as well.

 

[Kingp1n]

Would this be consider a temporary fix in the meantime or permanent?

RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

Similar issue - losing WAN access repeatedly, router crashing. Reset and rebuilt multiple times. New modem from ISP, new cables, new AX86U through warranty. Still occurring until disabling of AiCloud. Odd thing is while monitoring logs a line regarding tainted PPTP VPN caught my eye. I have...

www.snbforums.com

 

[Ripshod]

Would this be consider a temporary fix in the meantime or permanent?

RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

Similar issue - losing WAN access repeatedly, router crashing. Reset and rebuilt multiple times. New modem from ISP, new cables, new AX86U through warranty. Still occurring until disabling of AiCloud. Odd thing is while monitoring logs a line regarding tainted PPTP VPN caught my eye. I have...

www.snbforums.com

As permanent as you want it to be, just like any workaround. I never used AiCloud so I've no worries.

*edit* This attack vector has been seen before, a while ago though - CVE-2013-4937. Asus fixed that one pretty quick, but I wonder if their firmware developers opened the door again.

 

[matrixone01]

Ax82u and ax96u models are infected as well, even I updated to the latest firmware (I am a Ax82u user) the WAN spikes started and broke my wifi 2.4g and 5ghz performance by doing factory reset on the firmware that suppose to secure the hack. Strange enough is not doing a proper factory reset, not even using the hard method (wps buttom) to restore even the wifi are code or partitions of the router again.