Thousands of Asus routers have been hacked and are under the control of a suspected China-state group that has yet to reveal its intentions for the mass compromise, researchers said.
The hacking spree is either primarily or exclusively targeting seven models of Asus routers, all of which are no longer supported by the manufacturer, meaning they no longer receive security patches, researchers from SecurityScorecard said. So far, it’s unclear what the attackers do after gaining control of the devices. SecurityScorecard has named the operation WrtHug.
Staying off the radar
SecurityScorecard said it suspects the compromised devices are being used similarly to those found in ORB (operational relay box) networks, which hackers primarily use to conduct espionage to conceal their identity.
“Having this level of access may enable the threat actor to use any compromised router as they see fit,” SecurityScorecard said. “Our experience with ORB networks suggests compromised devices will commonly be used for covert operations and espionage, unlike DDoS attacks and other types of overt malicious activity typically observed from botnets.”
Compromised routers are concentrated in Taiwan, with smaller clusters in South Korea, Japan, Hong Kong, Russia, central Europe, and the United States.
The Chinese government has been caught building massive ORB networks for years. In 2021, the French government warned national businesses and organizations that the APT31—one of China’s most active threat groups—was behind a massive attack campaign that used hacked routers to conduct reconnaissance. Last year, at least three similar China-operated campaigns came to light.
Russian-state hackers have been caught doing the same thing, although not as frequently. In 2018, Kremlin actors infected more than 500,000 small office and home routers with sophisticated malware tracked as VPNFilter. A Russian government group was also independently involved in an operation reported in one of the 2024 router hacks linked above.
Consumer routers make an ideal hideout for hackers. The inexpensive gear often runs versions of Linux that, in turn, can run malware that operates behind the scenes. The hackers then log into the routers to conduct malicious activities. Rather than originating from infrastructure and IP addresses defenders know to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.
During the WrtHug infection process, devices open a dialog box on connected devices that instructs users to install a self-signed TLS certificate. Asus routers, like those for many other manufacturers, by default require users to accept such certificates in order to encrypt connections between a user and the device when using the web-based administrative interface. Because users are in the habit of approving such requests, they rarely suspect anything is amiss. Self-signed certificates don’t comply with TLS specifications because their users can’t be vetted, and there’s no means to revoke certificates once they are detected as malicious.
The WrtHug campaign uses functionality provided by AICloud, a proprietary Asus service that allows users to access files stored on local machines from the Internet.
So far, the SecurityScorecard researchers haven’t seen any post-exploit behavior coming from the infected routers. Marty Kareem, signals collection engineer at SecurityScorecard, wrote in an interview:
We have yet to observe any malicious payload dropped by the threat actor to compromise these devices, though our access to observe it is limited, as it requires obtaining a compromised device and studying it directly. There are reported instances where volatile binaries were dropped to perform kernel level changes, and then they erased themselves upon a reboot, leaving only the required changed configuration in place. It is also possible that the actor used no payload at all and leveraged the vulnerabilities to cause direct OS changes (these are feasible with the vulnerabilities we have observed in this campaign). All-in-All, it is early to determine the exact chain of infection that leads to the end result, or post-exploitation results, which we observed – a high-level access that enables certificate swapping and other admin-level privileges. If I may add one more thing, gaining administrative access to the device at the same level of the device owner is A-Lot and should not be taken lightly, as that is what most threat actors attempt to achieve in most intrusion campaigns.
Am I infected?
The Asus router models that SecurityScorecard knows to be targeted are:
- Asus Wireless Router 4G-AC55U
- Asus Wireless Router 4G-AC860U
- Asus Wireless Router DSL-AC68U
- Asus Wireless Router GT-AC5300
- Asus Wireless Router GT-AX11000
- Asus Wireless Router RT-AC1200HP
- Asus Wireless Router RT-AC1300GPLUS
- Asus Wireless Router RT-AC1300UHP
The easiest way to determine whether a router has been compromised is to inspect the self-signed certificate, which can be done by following the instructions here. The certificate used by the attackers has an expiration year of 2122, a lengthy time span that valid certificates would never have. Both the issuer and subject in the certificate list CN=a,OU=a,O=a,L=a,ST=a,C=aa.
SecurityScorecard’s report lists other indicators users can examine for other signs of compromise.
People using end-of-life routers and other Internet of Things devices should strongly consider replacing them with ones that receive regular security updates. Disabling AICloud, remote administrator capabilities, SSH, UPnP, port forwarding, and other unnecessary services is also a good precaution, even for users of other router models.
Russo-Ukrainian war, day 1367: Quadruple crises converge on Ukraine – Trump peace plan, corruption scandal, power blackouts, and Russian fog tactics