Pierluigi Paganini
February 19, 2014
Ars security portal reported that hackers expose eight-month-old weakness in Asus routers by leaving a message on victims’ drives. An Ars reader claimed to have found a strange message browsing the content of his external hard drive, the note was in a text file and advised him that he had been hacked thanks to a critical flaw in the Asus router he used to access the network storage.
“This is an automated message being sent out to everyone effected [sic],” “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt.” states the note in the text file.
The problem is not isolated, many other users have found the message on their machines, the hackers exploited the vulnerability in the Asus routers to have full access to the content of the hard drive.
A few weeks ago on Pastebin were published 13,000 IP addresses of vulnerable Asus routers and a torrent link to more than 10,000 complete or partial lists of files stored on the Asus-connected hard drives.
The flaw affecting the Asus routers was discovered eight months ago, hackers have the “ability to traverse to any external storage plugged in through the USB ports on the back of the router,“. The disconcerting aspect of the discovery is that the researcher Kyle Lovett decided to publicly disclose the vulnerability in Asus routers after privately contacting Asus company and getting a response that the reported behavior “was not an issue.”
Below the list of vulnerable Asus Routers:
I suggest you the reading of the second Kyle Lovett’s post on the subject that includes many details on the flaw.
“Vulnerabilities – Due in large part to an exposed $root share on the NVRAM for Samba service, which was discovered in March of this year by another researcher, on almost all of the above models that have enabled AiCloud service, the end users will find themselves exposed to multiple methods of attack and several dangerous remote exploits. Since authentication can be simply bypassed on the those units running HTTPS WebDav via directory traversal, access to all files which control services on either side of the router are wide open to remote manipulation. All pem and key files are also openly available.”
Asus declared to have fixed the Vulnerabilities in RT-N66U, RT-N66R and RT-N66W Routers, but the attack suffered by the Ars reader demonstrates the existence of still vulnerable Asus routers.
“Needless to say, I am pissed “It was my belief that I had all of these options turned off,” “I definitely have never used AICloud or had it enabled. In fact, the only thing I’ve ever enabled myself is the Samba share. However, the Asus menu is very unclear about what is being shared and with whom. Reported the victim to Ars
I believe the issue is really serious, consider that an attacker could deploy malicious content or illegal files on the victims PC with not negligible legal implications.It’s not a good period for network device manufactures, this morning I published the news on the public disclosure of the exploit to hit Linksys routers and a few weeks ago I reported the large-scale attacks observed in Poland where the Polish Computer Emergency Response Team has documented a series of cyber attacks involved cybercriminals hacking into home routers and changing their DNS settings so they can conduct MITM attacks on online banking connection. According Polish IT security outfit Niebezpiecznik.pl, the attackers probably exploited a flaw in the router firmware ZyNOS router firmware created by ZyXEL Communications and used in many router models from other manufacturers including TP-Link, ZTE, D-Link and AirLive.
Check the setting of your router and carefully update it according instruction provided by manufactures.
(Security Affairs – Asus routers, hacking)
