Overview

• GreyNoise discovered 'AyySSHush' in mid-March and reports over 9,000 ASUS routers have been backdoored via SSH by exploiting CVE-2023-39780.
• The injected SSH public key persists across reboots and firmware upgrades, allowing stealthy long-term access.
• ASUS has released firmware updates for impacted models to close the CVE-2023-39780 vulnerability and users should apply them immediately.
• Security researchers identified four IP addresses linked to the campaign and advise adding them to block lists to prevent further intrusions.
• Users can detect infections by checking SSH settings for port 53282 and unauthorized keys, and a factory reset is recommended for thorough removal.