Swedish ISP says ASUS routers hacked, used for DDoS attackes

[Geraner]

The swedish ISP "Bahnhof" published an alert on their Facebook page about, several of their customers have got their ASUS routers hacked which are been used for DDOS attacks. Customers should update their ASUS router firmware asap.

Own translation of message:

Several Bahnhof customers have had their Asus routers hacked and are now being used for DDoS attacks. If you have an Asus, you should immediately update the software / firmware and change to unique and strong passwords.

Just a few days ago, ASUS released a firmware updated for several router modells, as for example:
ASUS RT-AC86U: 2019/11/20

ASUS RT-AC86U Firmware version 3.0.0.4.384.81351
- Fixed a DDoS vulnerability.
- Fixed Let's Encrypt related bugs.
- Fixed folder creating bugs in Samba.
- Fixed dual wan failover bugs while the primary wan type is L2TP.

Is there anything more known to the vulnerablity patched in ASUS routers around the 20th of November 2019?

Also it's questionable which DDoS vulnerability is been used, as previous released firmware updates also "Fixed a DDoS vulnerability".

Date: 2019/09/05

ASUS RT-AC86U Firmware version 3.0.0.4.384.81049
Security fix
- Fixed a DDoS vulnerability. Thanks for Altin Thartori's contribution.

Date: 2019/05/13

ASUS RT-AC86U Firmware version 3.0.0.4.384.45717
- Fixed DDoS vulnerability.

Can't find anything about this on other sites. Anyone else who has more information?

 

[dave14305]

I would not assume that Asus fixing DDoS vulnerabilities in its own code translates to preventing a hacked Asus router being taken over as a DDoS node (or whatever you call it).

But generally, we users will never know what is fixed in the closed-source components of the Asus firmware. All we can do is upgrade to the latest code as soon as possible.

More likely than not, the compromised routers are running very old code that was forgotten about by their owners after setting up the router. Not likely with dorks like us.

 

[dbareis]

More likely than not, the compromised routers are running very old code that was forgotten about by their owners after setting up the router. Not likely with dorks like us.

And probably using original default users and password.



Sent from my ONEPLUS A5010 using Tapatalk

 

[Grisu]

@dbareis: You deleted " before of right bracket after member: 58901, thats why your quote isnt shown correctly.

DDOS fix I would assume makes the router more robust against DDOS attacks, not that it cant be used for such. First someone has to get control and then he could even load older firmware to run his business.

 

[RMerlin]

DDOS fix I would assume makes the router more robust against DDOS attacks,

The fix in recent firmwares was against one specific method of attack.

 

[JIPG]

The fix in recent firmwares was against one specific method of attack.

I am actually using an RT ac87U with the last Merlin FW (384.13_1) available for this model, and the new official firmware that solves this method of attack is not to be included in your new FW 384.14.
I know that it is too much ask for it, but If you could include this patch in the 384.13 FW, at least we could stay on your FW and more secure until next update.

 

[RMerlin]

I am actually using an RT ac87U with the last Merlin FW (384.13_1) available for this model, and the new official firmware that solves this method of attack is not to be included in your new FW 384.14.
I know that it is too much ask for it, but If you could include this patch in the 384.13 FW, at least we could stay on your FW and more secure until next update.

My firmware is not susceptible to this specific attack vector.

 

[JIPG]

My firmware is not susceptible to this specific attack vector.

Then, thank you again for your best class FW (being one step ahead ASUS?)

 

[RMerlin]

(being one step ahead ASUS?)

No, just that it affected a particular piece of code that I wasn't using in my firmware.

 

[podkaracz]

If i had connectivity problems in given times even tho i had latest firmware may it be that my router was used for ddos purposes? Also how to desinfect router (86U) if it got used without my knowledge ?

 

[ColinTaylor]

If i had connectivity problems in given times even tho i had latest firmware may it be that my router was used for ddos purposes?

Probably not.

Also how to desinfect router (86U) if it got used without my knowledge ?

Perform a factory default restore with initialize. That's all you can do if you're already on the latest firmware release.

 

[podkaracz]

Probably not.
Perform a factory default restore with initialize. That's all you can do if you're already on the latest firmware release.

If probably not why 3.0.0.4.384.81351 was made after those attacks and had "ddos protection" as 3rd firmware in a row also initialize wont remove everything from router i think there is some jffs or jffs2 and tmp folders that are not removed or im wrong?

 

[ColinTaylor]

If probably not why 3.0.0.4.384.81351 was made after those attacks and had "ddos protection" as 3rd firmware in a row

Sorry, I misunderstood what you said. I thought you were saying you were having problems now and that you were running the current firmware as of today. But if you think your router is currently infected you need to diagnose the problem rather than just guessing.

also initialize wont remove everything from router i think there is some jffs or jffs2 and tmp folders that are not removed or im wrong?

AFAIK initialize is meant to clear jffs. If you don't think that is happening you can simply SSH into the router and verify the directory contents for yourself. tmp folders are always lost after a reboot.

 

[podkaracz]

Sorry, I misunderstood what you said. I thought you were saying you were having problems now and that you were running the current firmware as of today. But if you think your router is currently infected you need to diagnose the problem rather than just guessing.

AFAIK initialize is meant to clear jffs. If you don't think that is happening you can simply SSH into the router and verify the directory contents for yourself. tmp folders are always lost after a reboot.

I mean thanks for reply but repeating what i just wrote wont help if you could tell me how to "diagnose rather than guess" it would be great thanks.

 

[ColinTaylor]

You'd have to provide a more detailed description of the symptoms before anyone can help you.

 

[podkaracz]

You'd have to provide a more detailed description of the symptoms before anyone can help you.

I mean i already posted symptoms which were connectivity issue in the time the "attacks" were said to happen i remember random connection drops and i was not sure if its my isp, router or something else but after reboot i still did not have internet so it might be some1 using it as ddos node. I think you dont have enough knowledge to help me because even newb like me knows something might be wrong if the connection drops no need some1 to write they agree with it. I want detailed info like go into ssh erase this folder and this cuz it might contain something suspicious u know. For example merlin said those attacks used some code from what ive seen what code and could this possibly infect my router even after firmware upgrade?

 

[maxbraketorque]

I mean i already posted symptoms which were connectivity issue in the time the "attacks" were said to happen i remember random connection drops and i was not sure if its my isp, router or something else but after reboot i still did not have internet so it might be some1 using it as ddos node. I think you dont have enough knowledge to help me because even newb like me knows something might be wrong if the connection drops no need some1 to write they agree with it. I want detailed info like go into ssh erase this folder and this cuz it might contain something suspicious u know. For example merlin said those attacks used some code from what ive seen what code and could this possibly infect my router even after firmware upgrade?

Perform a full reset of your router (there are two levels of reset for the AC86U). If the dropouts happen again, then its not from your router being used for ddos.