A newly discovered campaign now compromises tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, and it uses them to build a massive network.
The router hijacking activity, which SecurityScorecard’s STRIKE team codenamed Operation WrtHug, also spreads into Southeast Asia and European countries, where researchers have recorded additional infections. Over the past six months, investigators identified more than 50,000 unique IP addresses belonging to these compromised devices around the globe.
The attackers likely exploit six known security flaws in end-of-life ASUS WRT routers, and they use those weaknesses to take control of susceptible devices. Furthermore, all the infected routers share a unique self-signed TLS certificate with an expiration date set for 100 years from April 2022.
SecurityScorecard said 99% of the services presenting the certificate are ASUS AiCloud, a proprietary service that enables access to local storage via the internet.
“It leverages the proprietary AiCloud service with n-day vulnerabilities in order to gain high privileges on End-Of-Life WRT routers,” the company said in a report, “adding the campaign, while not exactly an Operational Relay Box (ORB), bears similarities with other China-linked ORBs and botnet networks.”
Vulnerability
The attackers likely exploit vulnerabilities tracked as CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2023-39780, CVE-2024-12912, and CVE-2025-2492 to proliferate their access. Interestingly, the exploitation of CVE-2023-39780 also connects to another Chinese-origin botnet dubbed AyySSHush (aka ViciousTrap). In addition, two other ORBs—LapDogs and PolarEdge—have targeted routers in recent months.
Out of all the infected devices, investigators flagged seven IP addresses for exhibiting signs of compromise associated with both WrtHug and AyySSHush, which potentially raises the possibility that the two clusters share a connection. That being said, researchers still lack evidence to back this hypothesis beyond the shared vulnerability.
The list of router models targeted in the attacks is below –
- ASUS Wireless Router 4G-AC55U
- ASUS Wireless Router 4G-AC860U
- ASUS Wireless Router DSL-AC68U
- ASUS Wireless Router GT-AC5300
- ASUS Wireless Router GT-AX11000
- ASUS Wireless Router RT-AC1200HP
- ASUS Wireless Router RT-AC1300GPLUS
- ASUS Wireless Router RT-AC1300UHP
It’s currently not clear who orchestrates the operation, but the extensive targeting of Taiwan and overlaps with previous tactics observed in ORB campaigns from Chinese hacking groups suggest an unknown China-affiliated actor may stand behind it.
“This research highlights the growing trend of malicious threat actors targeting routers and other network devices in mass infection operations,” SecurityScorecard said. “These are commonly (but not exclusively) linked to China Nexus actors, who execute their campaigns in a careful and calculated manner to expand and deepen their global reach.”
“By chaining command injections and authentication bypasses, threat actors have managed to deploy persistent backdoors via SSH, often abusing legitimate router features to ensure their presence survives reboots or firmware updates.”
Source: TheHackerNews
Read more at Impreza News
