Your ASUS Router Is a Botnet Now | Tech News of the Week

[00:00:00.05]
Announcer: Welcome to Tech News of the Week with your host, soul crushing ennui.

[00:00:05.15]
Ned: Welcome to Tech News of the Week. This is our weekly Tech News podcast where Chris and I get into four interesting articles that caught our attention. Chris, I'm going to go first. Now, Patch Tuesday can be extra terrifying. One of the things I love about Android apps is the way that they update. They do it quietly and automatically through the Play Store and the native framework of Android, and I don't ever have to think about it. I assume iOS is the same way, but I don't use that crap. Wouldn't it be nice if the software on Windows did something similar? Well, now it can, at least in preview. Microsoft has introduced a Windows Update framework that third-party apps and software packages can take advantage of. Instead of writing custom updaters or just hoping clients download the newest version and install it, now apps will integrate with the Windows Runtime APIs and special PowerShell commands to handle their updates. On the back-end, the same Windows Update software that takes into account your PC's battery life, AC status, current usage, and other factors will decide when and how updates are applied. It also means that update logging, admin policies, and update histories will be available to manage the life cycle of applications.

[00:01:27.29]
Ned: The only downside? Well, I mean, you've been a victim of a bot Windows update at least once, haven't you? I know I have. Now, imagine that multiplied across all the apps on your PC today. What could possibly go wrong? Fortunately, the program is in private preview, so you don't have to worry about rogue updates, ruining your taco Tuesday tostada lunch just yet. Still, you should go easy on the sour cream for your fellow office workers' sake.

[00:01:58.19]
Chris: Nist and CISA researchers Developers propose a new method of describing vulnerability risks. Exploits are funny things. Sometimes the potential severity of an exploit, in theory, far exceeds its severity in reality. This is often due to the level of difficulty required in pulling off the exploit, or that the fact that the exploit, while possible, is irrelevant due to the requirements needed to actually make it happen. See my next topic for a great example of this. As a result, it can be tough to decide how important an exploit actually is. If you run a vulnerability scan, for example, and you get back several thousand results, which is not uncommon, even for small to medium-sized companies, how do you begin to address that? An example. If a vulnerability is, say, a year old, but has a CVSS score of 5. 5, should you prioritize it or not? 5. 5 is not super high. The highest score is a 10. But the age of the vulnerability is a problem, as statistically, the longer the vulnerabilities are out there, the more likely they are to be actively exploited in the wild. Security vendors have their own proprietary ways of helping with this.

[00:03:17.04]
Chris: There are also public lists such as known exploited vulnerabilities or the kev list, which tells you if an exploit has actually been observed in the wild. This is versus the more standard CVS The SS system, common vulnerability scoring with the famous 1-10 level of severity. The new proposal would try to split the difference between these two. It's called Likely Exploited Vulnerabilities or LEV. And guess what it does? It checks to see if it's likely, but there's not proof. You didn't guess, so I had to tell you.

[00:03:52.28]
Ned: I'm sorry.

[00:03:54.22]
Chris: It is very much a work in progress, and NIST has announced that they are looking industry partners to help. The more data they have, the better, as there is an inherent truthiness to anything that is predictive like Lev is going to try to be. Still, it's a good start. Maths are good, and a dynamic scoring system would really help people know what to focus on.

[00:04:19.26]
Ned: Maybe they should focus on their ASUS router. Do you own an ASUS router? No, you don't. Somebody else does now. Thousands of ASUS Access routers are currently Moonlighting in a new botnet called iShush. Your guess is as good as mine how to pronounce that. A-y-y-s-s-h-u-s-h. God damn, what is wrong with security people, Chris? After getting hijacked by attackers who are disabling trend micro security features and then strolling in through old vulnerabilities. Discovered by threat intel firm, GreyNoize, back in March, this botnet is now going full throttle, infecting over 8,000 routers. Initially, the attacker started with generic brute force attacks, then escalated to exploiting older authentication bypass bugs and CVE-2023-39780 to sneak in and run commands. 2023 tells you how old that particular bypass is. Once in, the botnet activates SSH, binds it to a non-standard port, and drops in a public key, all using the official ASUS features inside the router, which effectively creates a backdoor that survives hardware updates, patches, and all your hopes and dreams. The culprits are disabling logging and Trend Micro's AI protection on the router to help avoid intrusion detection as they dig deeper into your network. More impressive is how quickly the attack occurs.

[00:05:52.07]
Ned: Just three HTTP posts can get the job done, especially on routers left with factory default settings, which is way too many of them. Targeted models include the RT-AC-3100, RT-AC-3200, and the still popular RT-AX-55. Asus has since patched the bugs. Remember that 2023 thing? But most folks aren't updating their routers on the regular. If you think you've been hit, a firmware update will not do it. Factory reset that router or just buy an actual good piece of network equipment.

[00:06:28.06]
Chris: Don't open SSH or HTTP to the internet on your freaking router. What are you doing? Anyway, Microsoft Defender tricked into shutting itself down so the mal can wear. I thought that was very clever. You're a clever guy. More like Microsoft Defend doesn't, though. Am I right? Microsoft Defender, maybe not. I'll work on it. All right. This past week, a security researcher posted a tool called DefendNot on GitHub with the straight to the point description of, quote, an even funnier way to disable Windows Defender through WSC API, unquote. Basically, Windows has a lot of power over Defender. This is not surprising, considering it is a Microsoft product as well, and it's basically baked into the operating system. Windows additionally has the power to turn on and turn off Defender. It doesn't want to do that, obviously. But if, say, you have another registered third-party defense tool installed, it will. It's not a good idea to have two AV tools running at the same time. It's just asking for trouble. And this ability is exactly what defendNot exploits. By using friend of the show, Undocumented API feature in the Windows Security Center, defendNot can tell Windows that IT...

[00:07:54.04]
Chris: I'm sorry, IT, good God. Defendnot can tell Windows that it will be handling device protection. The security center behaves as expected and disables defender. Hopefully, you have alerts going to a SIM and you'll get notifications about that, at least. Right? Right. Eight. The way this works is still a tad on the complicated side. You would have already had to have given defend not administrator rights, which would allow it to manipulate a trusted process. If an attacker has gotten that far, it's likely that they don't need defender to be disabled anymore, at least not in this fashion. But still, as the researcher points out, it's pretty funny that it's actually possible. As of recording, defender is aware of defend not, and it will quarantine it. Whatever, man, it's still funny.

[00:08:49.15]
Ned: All right, that's it. We're done now. Go away. Bye..