This post is also available in:
עברית (Hebrew)
A sophisticated cyber campaign is targeting Asus WiFi 6 routers, leaving persistent backdoors that remain even after firmware updates. Security researchers have identified the threat as a stealthy botnet operation known as AyySSHush, which has already compromised nearly 9,000 devices globally.
The attack exploits a known command injection vulnerability (CVE-2023-39780) in the Asus RT-AX55 router. Threat actors are using a combination of brute-force login attempts and previously disclosed authentication bypass flaws to gain access. Once inside, they activate Secure Shell (SSH) access on a custom port (TCP/53282) and insert their own public keys, granting them remote control of the device.
What makes this campaign particularly dangerous is the way the attackers maintain long-term access. Instead of deploying traditional malware, they exploit built-in router features to silently take control. The malicious configuration is stored in non-volatile memory (NVRAM), which survives firmware updates and system reboots.
Asus has issued a firmware patch to address the vulnerability. However, if the router was compromised before being updated, the backdoor remains active. Remote access continues unless users manually inspect and remove the attacker’s configuration.
The ongoing operation has been flagged by GreyNoise, a threat intelligence platform, which warns that the attackers are likely laying the foundation for a larger botnet. Possible uses include proxying future cyberattacks or launching distributed denial-of-service (DDoS) campaigns. The attack pattern shows a high degree of technical knowledge, with minimal observable network traffic—only 30 related requests were seen over three months.
To protect against this threat, GreyNoise advises users to:
- Install the latest firmware updates.
- Check for unauthorized SSH access on TCP/53282.
- Inspect the authorized_keys file for suspicious entries.
- Disable remote management features unless absolutely necessary.
- Perform a full factory reset if compromise is suspected.
As router-based attacks grow more advanced, these devices—often overlooked in home and enterprise security—have become prime targets for long-term exploitation.
