{"id":3389,"date":"2025-05-30T12:38:53","date_gmt":"2025-05-30T12:38:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3389"},"modified":"2025-05-30T12:38:53","modified_gmt":"2025-05-30T12:38:53","slug":"new-botnet-hijacks-ai-powered-security-tool-on-asus-routers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3389","title":{"rendered":"New botnet hijacks AI-powered security tool on Asus routers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A newly uncovered botnet is targeting Asus routers \u2014 specifically models RT-AC3100 and RT-AC3200 \u2014 to hijack and repurpose a built-in, AI-powered security feature.<\/p>\n

The campaign, detected by GreyNoise in March 2025, employs a multi-stage approach to compromise devices and establish persistent unauthorized access.<\/p>\n

\u201cWe are observing an ongoing wave of exploitation targeting ASUS routers, combining both old and new attack methods,\u201d GreyNoise researchers said in a blog post. \u201cAfter an initial wave of generic brute-force attacks targeting \u2018login.cgi,\u2019 we observe subsequent attempts exploiting older authentication bypass vulnerabilities.\u201d<\/p>\n

GreyNoise said its in-house AI tool, SIFT, flagged suspicious traffic aimed at disabling and exploiting a TrendMicro-powered security feature, AiProtection, enabled by default on Asus routers.<\/p>\n

Trojanizing the safety net<\/h2>\n

Asus\u2019 AiProtection, developed with TrendMicro, is a built-in, enterprise-grade security suite for its routers, offering real-time threat detection, malware<\/a> blocking, and intrusion prevention using cloud-based intelligence.<\/p>\n

After gaining administrative access on the routers, either by brute-forcing or exploiting known authentication bypass vulnerabilities of \u201clogin.cgi\u201d \u2014 a web-based admin interface, the attackers exploit an authenticated command injection flaw (CVE-2023-39780) to create an empty file at \/tmp\/BWSQL_LOG.<\/p>\n

Doing this activates the BWDPI (Bidirectional Web Data Packet Inspection) logging feature, a component of Asus\u2019 AiProtection suite aimed at inspecting incoming and outgoing traffic. With logging turned on, attackers can feed crafted (malicious) payloads into the router\u2019s traffic, as BWDPI is not meant to handle arbitrary data.<\/p>\n

In this particular case, the attackers use this to enable SSH on a non-standard port and add their own keys, creating a stealthy backdoor. \u201cBecause this key is added using the official Asus features, this config change is persisted across firmware upgrades,\u201d GreyNoise researchers said. \u201cIf you\u2019ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.\u201d<\/p>\n

While GreyNoise did not specify a particular CVE used as an authentication bypass for initial access, Asus recently acknowledged a critical authentication bypass vulnerability, tracked as CVE-2025-2492, affecting routers with the AiCloud feature enabled.<\/p>\n

Monitoring SSH access is the only protection<\/strong><\/h2>\n

As upgrading the firmware doesn\u2019t guarantee protection, admins are recommended to keep checking for unauthorized SSH access, particularly on TCP port 53282, which the botnet uses for persistent remote control.<\/p>\n

Additionally, checking the filesystem for a \/tmp\/BWSQL_LOG file can help detect attackers\u2019 abuse of the logging feature. Changing default login credentials can prove effective, too, as brute-force attacks are part of the initial infection method. GreyNoise shared a list of indicators (IoC) to set detection for, including IPs, malicious filenames, and SSH-RSA keys.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A newly uncovered botnet is targeting Asus routers \u2014 specifically models RT-AC3100 and RT-AC3200 \u2014 to hijack and repurpose a built-in, AI-powered security feature. The campaign, detected by GreyNoise in March 2025, employs a multi-stage approach to compromise devices and establish persistent unauthorized access. \u201cWe are observing an ongoing wave of exploitation targeting ASUS routers, […]<\/p>\n","protected":false},"author":0,"featured_media":3390,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3389","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3389"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3389"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3389\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3390"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}