Of course it's ASUS.

Darknet Diaries aired an episode back in 2017[1] that discusses the widespread vulnerabilities of ASUS routers. This latest development comes as no surprise.

[1] https://darknetdiaries.com/episode/5/

ASUS is especially bad at security all around.

Another example: https://github.com/advisories/GHSA-x6hq-v32r-w2qr

Guess they are competing with Cisco, eh?

It sounds like Asus screwed up and made the admin UI and SSH accessible via the WAN port, which is a huge issue in itself.

Disabling the 'backdoor' seems to just involve disabling SSH.

> Disabling the 'backdoor' seems to just involve disabling SSH.

Maybe. My guess these are essentially Linux systems, so if attackers know that their exploits are widely known then they will likely try to figure out ways to install kernel mod rootkits.

It'll then end up in a situation with Windows XP/Vista days were IT desktop support staff would run malware removal tools to get rid of porn pop-ups on desktops only to have "reinfections" pop up a day or week or two later.

They'd blame users for this, but really they just never actually removed the command and control botnet features. They just addressed their payloads. The machines were never actually fixed in the first place.

> Maybe. My guess these are essentially Linux systems

IIRC ASUS router firmware is based on an old fork of Tomato, which is a Linux based router OS.

Yeah the article says the fix is just a factory reset or disabling SSH, so at least it's easy to solve this one.

For a home user, you can also set SSH to be Local LAN only, which is how I have mine set anyway.

> screwed up and made the admin UI and SSH accessible via the WAN port

Fun fact: Supermicro motherboards do this by default too if you don't connect anything to their dedicated BMC network port: https://www.supermicro.com/manuals/other/IPMI_Users_Guide.pd...

It's a Shared Port feature and you still need to assign an address to it somehow. You won't get the SSH for the BMC on you OSE public address.

It is quite funny and insane, that there isn't any quality vendors in the router/switch market (though can't say anything of $10k+ hardware). Same phenomenon is with domain name registrars (except one or two are feasible). Oh, and printer market (one or two are feasible).

AVM Fritzboxes are pretty good, no shenanigans and lots of features. Not the best for maximun WiFi or DSL speed at the longest ranges.

MikroTik, mentioned in this thread, are very solid and way <10K$...

Banana Pi BPI-R3 with OpenWRT is how learned to deal with crappy consumer "wifi router" devices without breaking the bank.

Very effective.

I reached a similar point where I was done dealing with crappy consumer gear but even OpenWRT didn't help my situation much because the hardware I had was just plain bad.

That's when I decided to switch to Mikrotik routers and Ubiquity for APs and have had no regrets about that decision other than the relatively steep learning curve.

Similar here. I use Protectli firewalls that use CoreBoot and are hardware optimized to be overpowered routers. I install Alpine Linux on them.

VyOS is another good option.

I wonder if these backdoors also exist on devices with the Asuswrt-Merlin[1] 3rd party firmware, which are forks of the official firmwares + a bunch of stuff.

1: https://www.asuswrt-merlin.net

"Malware-free backdoors"? What does that mean?

The attackers are using features built into the firmware. They don't have to install any of their own software.

It's accessing the router via the built in SSH server, so no malware needs to be installed on the router.

It's a bug or a misconfiguration, here a misconfiguration included in default config.