Thousands of ASUS WRT routers, mostly end-of-life or outdated devices, have been hijacked in a global campaign called Operation WrtHug that exploits six vulnerabilities.
Over the past six months, scanners looking for ASUS devices compromised in Operation WrtHug identified "roughly 50,000 unique IPs" around the globe.
Most of the compromised devices have IP addresses located in Taiwan, while others are distributed across Southeast Asia, Russia, Central Europe, and the United States.
Notably, there are no observed infections within China, which may indicate a threat actor from this country, but researchers found insufficient evidence for high-confidence attribution.
According to SecurityScorecard’s STRIKE researchers, based on targeting and attack methods, there may be a connection between Operation WrtHug and AyySSHush campaign, first documented by GreyNoise in May.
WrtHug global spread
Source: SecurityScorecard
WrtHug attacks
The attacks begin with the exploitation of command injection flaws and other known vulnerabilities in ASUS WRT routers, mostly AC-series and AX-series devices.
According to STRIKE researchers, the WrtHug campaign may leverage the following security issues in attacks:
... continue reading