Pierluigi Paganini@securityaffairs.com
//
GreyNoise researchers have uncovered a significant and stealthy campaign exploiting ASUS routers, leading to the formation of a new botnet dubbed "AyySSHush". This long-running operation has compromised thousands of ASUS routers, with numbers steadily increasing. The attackers are gaining unauthorized, persistent access to the devices, effectively establishing a distributed network of backdoors, potentially laying the foundation for a future, larger botnet.
This attack is achieved through a sophisticated, multi-step exploitation chain, showcasing advanced knowledge of ASUS systems. Initial access is gained through brute-force login attempts and previously undocumented authentication bypasses. Attackers then exploit CVE-2023-39780, a command injection vulnerability, to execute system commands. This allows them to enable SSH access on a custom port and insert an attacker-controlled SSH public key, granting persistent remote access.
The AyySSHush botnet's stealth is enhanced by disabling router logging to evade detection and avoiding the installation of any malware. Crucially, the backdoor is stored in non-volatile memory (NVRAM), ensuring it survives both firmware upgrades and reboots. As of late May 2025, data confirmed that over 9,000 ASUS routers had been compromised. This campaign highlights the critical need for prompt patching of router vulnerabilities to prevent exploitation and botnet recruitment.
References :
- cyberinsider.com: A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.
- The GreyNoise Blog: GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
- Blog: ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Here's how to find impacted assets on your network.
- www.scworld.com: ASUS router backdoors affect 9K devices, persist after firmware updates
- securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet
- bsky.app: Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco
- securityaffairs.com: New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
- securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet.
- CyberInsider: 9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign
- BleepingComputer: Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
- www.techradar.com: Thousands of Asus routers hacked to create a major botnet planting damaging malware.
- The Register - Security: 8,000+ Asus routers popped in 'advanced' mystery botnet plot
- PCMag UK security: Cybercriminals Hack Asus Routers: Here's How to Check If They Got Into Yours
- eSecurity Planet: Over 9,000 Routers Hijacked: ASUS Users Caught in Ongoing Cyber Operation
- www.itpro.com: Asus routers at risk from backdoor vulnerability
- www.csoonline.com: New botnet hijacks AI-powered security tool on Asus routers
- www.esecurityplanet.com: Over 9,000 ASUS routers were hacked in a stealth cyberattack exploiting CVE-2023-39780.
- cyble.com: Researchers disclosed that attackers have exploited this vulnerability in a widespread and stealthy botnet campaign, compromising over 9,000 ASUS routers and enabling persistent, unauthorized access to the affected devices.
- hothardware.com: Heads up if you have an Asus router in your home or office, as there's a backdoor exploit doing the rounds affecting 9,000 devices and counting.
- techvro.com: GreyNoise has exposed the AyySSHush botnet infecting over 9,000 ASUS routers, urging owners to factory reset devices as firmware updates alone won’t remove the hidden backdoor.
- Techzine Global: A recently discovered botnet has infected thousands of ASUS routers. The malware remains active even after rebooting or updating.
- securityonline.info: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
- securityonline.info: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
Classification:
- HashTags: #ASUSRouter #Botnet #AyySSHush
- Company: GreyNoise
- Target: ASUS Router Users
- Product: ASUS Routers
- Feature: Backdoor Access
- Malware: AyySSHush
- Type: Malware
- Severity: Major
@securityonline.info
//
GreyNoise has observed a significant surge, approximately three times the typical level, in exploitation attempts targeting TVT NVMS9000 DVRs. The peak of this activity occurred on April 3, 2025, with over 2,500 unique IP addresses involved in scanning for vulnerable devices. This vulnerability is an information disclosure flaw that allows attackers to gain administrative control over affected systems, essentially bypassing authentication and executing commands without restriction. Countless prior reports have identified the TVT NVMS9000 DVR as a target for botnet recruitment, including a GreyNoise update in early March 2025.
The exploitation activity is strongly suspected to be associated with the Mirai botnet, a notorious threat known for targeting vulnerabilities in IoT devices. GreyNoise has identified sufficient overlap with Mirai to support this attribution. Manufactured by TVT Digital Technology Co., Ltd., based in Shenzhen, the NVMS9000 DVRs are used in security and surveillance systems for recording, storing, and managing video footage from security cameras. The company reports serving customers in over 120 countries.
The majority of the malicious IP addresses involved in the exploitation attempts originate from the Asia-Pacific (APAC) region, specifically Taiwan, Japan, and South Korea. However, the top target countries are the United States, United Kingdom, and Germany. Organizations using the NVMS9000 DVR or similar systems are advised to take immediate action to secure their devices. Recommended mitigations include blocking known malicious IP addresses, applying all available patches, restricting public internet access to DVR interfaces, and closely monitoring network traffic for signs of unusual scanning or exploitation attempts.
References :
- The GreyNoise Blog: GreyNoise Observes 3X Surge in Exploitation Attempts Against TVT DVRs — Likely Mirai
- bsky.app: New Mirai botnet behind surge in TVT DVR exploitation
- BleepingComputer: New Mirai botnet behind surge in TVT DVR exploitation
- securityonline.info: TVT DVRs Under Siege: Massive Exploitation Attempts Expose Critical Flaw
- The DefendOps Diaries: Explore the resurgence of the Mirai botnet, its global impact, and advanced exploitation techniques targeting IoT devices.
- Cyber Security News: GreyNoise has detected a significant rise in exploitation attempts targeting TVT NVMS9000 DVRs, a line of digital video recorders primarily used in security and surveillance systems.
- www.scworld.com: Deluge of TVT DVR exploitation attempts likely due to Mirai-based botnet
- bsky.app: A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs has been detected, peaking on April 3, 2025, with over 2,500 unique IPs scanning for vulnerable devices.
- cyberpress.org: Mirai Botnet Variant Targets TVT DVRs to Seize Administrative Control
Classification:
Nathaniel Morales@feeds.trendmicro.com
//
The Albabat ransomware has evolved, now targeting Windows, Linux, and macOS systems, according to recent research. This marks a significant expansion in the group's capabilities, showcasing increased sophistication in exploiting multiple operating systems. Trend Micro researchers uncovered this evolution, noting the ransomware group leverages GitHub to streamline their operations, enhancing the efficiency and reach of their attacks.
Albabat ransomware version 2.0 gathers system and hardware information on Linux and macOS systems and uses a GitHub account to store and deliver configuration files. This allows attackers to manage operations centrally and update tools efficiently. The GitHub repository, though private, is accessible through an authentication token, demonstrating active development through its commit history.
Recent versions of Albabat ransomware retrieve configuration data through the GitHub REST API, utilizing a User-Agent string labeled "Awesome App." It encrypts file extensions, including .exe, .dll, .mp3, and .pdf, while ignoring folders like Searches and AppData. The ransomware also terminates processes like taskmgr.exe and regedit.exe to evade detection. It tracks infections and payments through a PostgreSQL database, potentially selling stolen data.
References :
- Cyber Security News: The Albabat ransomware has expanded its operation by utilizing GitHub to streamline its operation.
- gbhackers.com: The Albabat ransomware group has been observed expanding its operations to target not only Windows but also Linux and macOS systems, marking a significant evolution in its capabilities. They are leveraging GitHub to streamline their ransomware operations.
- : Trend Micro observed a continuous development of Albabat ransomware, designed to expand attacks and streamline operations. The authors seem to be targeting Linux and macOS systems now.
- www.trendmicro.com: New versions of Albabat ransomware have been detected that target Windows, Linux, and macOS devices. The group is utilizing GitHub to streamline their operations.
- hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
- Carly Page: Mastodon: Hackers are ramping up attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances
- techcrunch.com: TechCrunch: Hackers are ramping up attacks using year-old ServiceNow security bugs to break into unpatched systems
- www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
- bsky.app: Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations https://buff.ly/IWRowB3
- Talkback Resources: New Attacks Exploit Year-Old ServiceNow Flaws - Israel Hit Hardest [app] [exp]
- www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
- Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
- Cyber Security News: Albabat Ransomware Adds Linux and macOS to its Expanding List of Targets
- gbhackers.com: Albabat Ransomware Expands Reach to Target Linux and macOS Platforms
- www.cysecurity.news: Albabat Ransomware Evolves with Cross-Platform Capabilities and Enhanced Attack Efficiency
- ciso2ciso.com: New versions of the Albabat ransomware target Windows, Linux, and macOS, and retrieve configuration files from GitHub. The post appeared first on SecurityWeek.
Classification:
- HashTags: #Ransomware #GitHub #CrossPlatform
- Company: Trend Micro
- Target: Windows, Linux, and macOS systems
- Attacker: Albabat group
- Product: Albabat
- Feature: ransomware
- Malware: Albabat
- Type: Ransomware
- Severity: Major
|
|