A newly discovered campaign has compromised tens of thousands of obsolete or end-of-life (EoL) ASUS routers around the world, primarily in Taiwan, the United States, and Russia, and connected them to large networks.
This router hijacking activity has been codenamed “Operation WrtHug” by SecurityScorecard’s STRIKE team. Southeast Asia and European countries are other regions where infections have been recorded.
The attack may involve exploiting six known security flaws in the end-of-life ASUS WRT router to gain control of susceptible devices. All infected routers were found to share their own self-signed TLS certificates with expiration dates set to 100 years starting in April 2022.
According to SecurityScorecard, 99% of the services presenting certificates are ASUS AiCloud, a proprietary service designed to allow access to local storage over the Internet.
“This campaign leverages a proprietary AiCloud service with n-day vulnerabilities to gain high privileges on end-of-life ASUS WRT routers,” the company said in a report shared with The Hacker News, adding that while the campaign is not technically an Operational Relay Box (ORB), it bears similarities to other China-related ORBs and botnet networks.
This attack may be propagating by exploiting vulnerabilities tracked as CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492. Interestingly, the CVE-2023-39780 exploit is also associated with another botnet of Chinese origin called AyySSHush (also known as ViciousTrap). Two other ORBs that have targeted routers in recent months are LapDogs and PolarEdge.
Of all the infected devices, seven IP addresses were flagged as having indicators of compromise related to both WrtHug and AyySSHush, potentially indicating that the two clusters are related. That said, there is no evidence to support this hypothesis other than shared vulnerabilities.
Below is a list of router models targeted by the attack.
ASUS Wireless Router 4G-AC55U ASUS Wireless Router 4G-AC860U ASUS Wireless Router DSL-AC68U ASUS Wireless Router GT-AC5300 ASUS Wireless Router GT-AX11000 ASUS Wireless Router RT-AC1200HP ASUS Wireless Router RT-AC1300GPLUS ASUS Wireless Router RT-AC1300UHP
It is currently unclear who is behind this operation, but its widespread targeting of Taiwan and overlap with previous tactics observed in ORB campaigns by Chinese hacker groups suggest it may be the work of unknown China-linked actors.
“This research highlights a growing trend of malicious actors targeting routers and other network devices in mass infection campaigns,” SecurityScorecard said. “These are commonly (but not exclusively) associated with China Nexus actors, who carry out campaigns in careful and calculated ways to expand and deepen their global influence.”
“By chaining command injection and authentication bypass, attackers were able to deploy a persistent backdoor via SSH, exploiting the functionality of legitimate routers to ensure their presence persists across reboots and firmware updates.”
Source link
