POST https://kbin.spritesserver.nl/f/inbox

Response
200 OK
IP
54.36.178.108
Profiled on
Token
dc49e9

SharedInboxController

Request

GET Parameters

None

POST Parameters

None

Uploaded Files

None

Request Attributes

Key Value
_controller 
"App\Controller\ActivityPub\SharedInboxController"
_firewall_context 
"security.firewall.map.context.main"
_route 
"ap_shared_inbox"
_route_params 
[]
_security_firewall_run 
"_security_main"
_stopwatch_token 
"ee0418"

Request Headers

Header Value
accept 
"*/*"
accept-encoding 
"gzip"
content-length 
"13599"
content-type 
"application/activity+json"
date 
"Sun, 01 Jun 2025 20:23:55 GMT"
digest 
"SHA-256=A+Uz1Ndi5HMzEwuiYWHI22wmGxJP+isxTKvhBddtB5g="
host 
"kbin.spritesserver.nl"
signature 
"keyId="https://lemmy.ml/c/privacy#main-key",algorithm="hs2019",headers="(request-target) content-type date digest host",signature="w/df/JltsDocyQRSN0x0UU1L6z+Ai3k3Xxk31wpxfdKTCz7cBh39G7hO3uC6UVJVa70gYDhtSM7oY6Iz5QPvwkz0XdDbhOK9vho5dCk+6+mg5WSHezSONDVUDV5wi3EFahfo9HRYUr6JkOLbALOE3Flscf2EbkXeULa13Vz5CIu6tTFC/xuPkpylF5YlZ4RQXNZitRcRjnDFrC5txOrYbKKHPFKh+jeSwNkYdJGQTa8KLvBp7ED4HQCjpjrbf1brgG+H36/bqGpohatvpTbT3nYXBnK6RIzCZ2nXvOuEjvqsuCZtBMhxPSB3GNfZpi4nylfMlRzWTjbDvHUdN0+ozA==""
user-agent 
"Lemmy/0.19.12-beta.8; +https://lemmy.ml"
x-php-ob-level 
"1"

Request Content

Pretty

{
    "@context": [
        "https:\/\/join-lemmy.org\/context.json",
        "https:\/\/www.w3.org\/ns\/activitystreams"
    ],
    "actor": "https:\/\/lemmy.ml\/c\/privacy",
    "to": [
        "https:\/\/www.w3.org\/ns\/activitystreams#Public"
    ],
    "object": {
        "id": "https:\/\/hexbear.net\/activities\/create\/cab754df-fcaa-41a0-bb75-0cc9eed15c45",
        "actor": "https:\/\/hexbear.net\/u\/stupid_asshole69",
        "@context": [
            "https:\/\/join-lemmy.org\/context.json",
            "https:\/\/www.w3.org\/ns\/activitystreams"
        ],
        "to": [
            "https:\/\/www.w3.org\/ns\/activitystreams#Public"
        ],
        "object": {
            "type": "Note",
            "id": "https:\/\/hexbear.net\/comment\/6202373",
            "attributedTo": "https:\/\/hexbear.net\/u\/stupid_asshole69",
            "to": [
                "https:\/\/www.w3.org\/ns\/activitystreams#Public"
            ],
            "cc": [
                "https:\/\/lemmy.ml\/c\/privacy",
                "https:\/\/lemm.ee\/u\/schizoidman"
            ],
            "content": "<p>The source the article is based on:<\/p>\n<details><summary>spoiler<\/summary><p>___\nGreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices \u2014 potentially laying the groundwork for a future botnet.\nThe tactics used in this campaign \u2014 stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection \u2014 are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.\n\u200dThe attacker\u2019s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.\n\u200dThe activity was uncovered by Sift \u2014 GreyNoise\u2019s proprietary AI-powered network payload analysis tool \u2014 in combination with fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid. These tools enabled us to detect subtle exploitation attempts buried in global traffic and reconstruct the full attack sequence.\n\u200dRead the full technical analysis.\n\u200d\nTimeline of Events\nMarch 17, 2025: GreyNoise\u2019s proprietary AI technology, Sift, observes anomalous traffic.<br \/>\nMarch 18, 2025: GreyNoise researchers become aware of Sift report and begin investigating.\nMarch 23, 2025: Disclosure deferred as we coordinated the findings with government and industry partners.<br \/>\nMay 22, 2025: Sekoia announces compromise of ASUS routers as part of \u2018ViciousTrap.\u2019\nMay 28, 2025: GreyNoise publishes this blog.\n\u200d\nSummary of Findings\nThousands of ASUS routers are confirmed compromised, with the number steadily increasing.\nAttackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.\nAttackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.\nThey use legitimate ASUS features to:\nEnable SSH access on a custom port (TCP\/53282).\nInsert attacker-controlled public key for remote access.\nThe backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots.\nNo malware is installed, and router logging is disabled to evade detection.\nThe techniques used reflect long-term access planning and a high level of system knowledge.\n\u200d\nHow GreyNoise Found It\nThe campaign was surfaced by Sift, GreyNoise\u2019s AI-powered analysis tool for detecting novel and anomalous network activity. Sift flagged just three HTTP POST requests \u2014 targeting ASUS router endpoints \u2014 for deeper inspection.\nThese payloads were only observed on our fully emulated ASUS profiles running factory firmware. This infrastructure allowed GreyNoise to:\nCapture full PCAP of the requests and router behavior.\nReproduce the attack in a controlled environment.\nConfirm how the backdoor is installed and how it persists.<br \/>\nWithout emulated profiles and deep inspection, this attack would likely have remained invisible. The attacker disables logging and uses official router features, leaving few traces.\n\u200d\nConfirmed Exploitation Chain\n1. Initial Access\nBrute-force login attempts.\nTwo authentication bypass techniques (no CVEs assigned).\n\u200d\n2. Command Execution\nExploitation of CVE-2023-39780 to run arbitrary commands.\n\u200d\n3. Persistence\nSSH access is enabled via official ASUS settings.\nAttacker inserts a custom public SSH key.\nConfiguration is stored in NVRAM, not on disk.\n\u200d\n4. Stealth\nLogging is disabled before persistence is established.\nNo malware is left behind.\n\u200d\nScope and Visibility\nAs of May 27, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys \u2014 a platform that continuously maps and monitors internet-facing assets across the global internet. Censys reveals what\u2019s exposed; GreyNoise shows which of those assets are being actively targeted.\nThe number of affected hosts is growing.\nGreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating.\n\u200d\nIndicators of Compromise\n\u200d\nIP addresses involved in this activity:\n101.99.91.151\n101.99.94.173\n79.141.163.179<br \/>\n111.90.146.237\nCOPY\n\u200d\nBLOCK MALICIOUS IPS\n\u200d\nBackdoor port:\nTCP\/53282\nCOPY\n\u200d\nAttacker SSH public key (truncated):\nssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ\u2026\nCOPY\n\u200d\nHas ASUS Released a Patch?\nASUS patched CVE-2023-39780 in a recent firmware update.\nThe initial login bypass techniques are patched but do not have assigned CVEs.\nThe attacker\u2019s SSH configuration changes are not removed by firmware upgrades.\nIf a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.\n\u200d\nRecommendations\nCheck ASUS routers for SSH access on TCP\/53282.\nReview the authorized_keys file for unauthorized entries.\nBlock the four IPs listed above.\nIf compromise is suspected, perform a full factory reset and reconfigure manually.\n\u200d\nBlock IPs &amp; Read the Full Analysis\nFor payload details, firmware analysis, and attack reconstruction:\nRead the full technical analysis.\n\u200d\nBLOCK MALICIOUS IPS\n\u200d\n\u200d\n\u200dGreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.\nThis article is a summary of the full, in-depth version on the GreyNoise Labs blog.\nRead the full report\n<\/p><\/details>\n",
            "inReplyTo": "https:\/\/lemm.ee\/post\/65299660",
            "mediaType": "text\/html",
            "source": {
                "content": "The source the article is based on:\n::: spoiler spoiler\n___\n\nGreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices \u2014 potentially laying the groundwork for a future botnet. \n\nThe tactics used in this campaign \u2014 stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection \u2014 are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary. \n\n\u200dThe attacker\u2019s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features. \n\n\u200dThe activity was uncovered by Sift \u2014 GreyNoise\u2019s proprietary AI-powered network payload analysis tool \u2014 in combination with fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid. These tools enabled us to detect subtle exploitation attempts buried in global traffic and reconstruct the full attack sequence. \n\n\u200dRead the full technical analysis. \n\n\u200d\n\nTimeline of Events\n\nMarch 17, 2025: GreyNoise\u2019s proprietary AI technology, Sift, observes anomalous traffic.  \n\nMarch 18, 2025: GreyNoise researchers become aware of Sift report and begin investigating.\n\nMarch 23, 2025: Disclosure deferred as we coordinated the findings with government and industry partners.   \n\nMay 22, 2025: Sekoia announces compromise of ASUS routers as part of \u2018ViciousTrap.\u2019\n\nMay 28, 2025: GreyNoise publishes this blog. \n\n\u200d\n\nSummary of Findings\n\nThousands of ASUS routers are confirmed compromised, with the number steadily increasing. \nAttackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs. \nAttackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.\nThey use legitimate ASUS features to: \nEnable SSH access on a custom port (TCP\/53282).\nInsert attacker-controlled public key for remote access.\nThe backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots. \nNo malware is installed, and router logging is disabled to evade detection. \nThe techniques used reflect long-term access planning and a high level of system knowledge. \n\u200d\n\nHow GreyNoise Found It\n\nThe campaign was surfaced by Sift, GreyNoise\u2019s AI-powered analysis tool for detecting novel and anomalous network activity. Sift flagged just three HTTP POST requests \u2014 targeting ASUS router endpoints \u2014 for deeper inspection. \n\nThese payloads were only observed on our fully emulated ASUS profiles running factory firmware. This infrastructure allowed GreyNoise to:\n\nCapture full PCAP of the requests and router behavior. \nReproduce the attack in a controlled environment.\nConfirm how the backdoor is installed and how it persists.  \nWithout emulated profiles and deep inspection, this attack would likely have remained invisible. The attacker disables logging and uses official router features, leaving few traces. \n\n\u200d\n\nConfirmed Exploitation Chain\n\n1. Initial Access\n\nBrute-force login attempts. \nTwo authentication bypass techniques (no CVEs assigned).\n\u200d\n\n2. Command Execution \n\nExploitation of CVE-2023-39780 to run arbitrary commands.\n\u200d\n\n3. Persistence \n\nSSH access is enabled via official ASUS settings.\nAttacker inserts a custom public SSH key.\nConfiguration is stored in NVRAM, not on disk.\n\u200d\n\n4. Stealth\n\nLogging is disabled before persistence is established. \nNo malware is left behind.\n\u200d\n\nScope and Visibility \n\nAs of May 27, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys \u2014 a platform that continuously maps and monitors internet-facing assets across the global internet. Censys reveals what\u2019s exposed; GreyNoise shows which of those assets are being actively targeted. \nThe number of affected hosts is growing. \nGreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating. \n\u200d\n\nIndicators of Compromise\n\n\u200d\n\nIP addresses involved in this activity: \n\n101.99.91.151\n101.99.94.173 \n79.141.163.179   \n111.90.146.237\nCOPY\n\u200d\n\nBLOCK MALICIOUS IPS\n\u200d\n\nBackdoor port: \n\nTCP\/53282\nCOPY\n\u200d\n\nAttacker SSH public key (truncated):\n\nssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ... \nCOPY\n\u200d\n\nHas ASUS Released a Patch?\n\nASUS patched CVE-2023-39780 in a recent firmware update. \nThe initial login bypass techniques are patched but do not have assigned CVEs.\nThe attacker\u2019s SSH configuration changes are not removed by firmware upgrades. \nIf a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed. \n\n\u200d\n\nRecommendations \n\nCheck ASUS routers for SSH access on TCP\/53282. \nReview the authorized_keys file for unauthorized entries.\nBlock the four IPs listed above.\nIf compromise is suspected, perform a full factory reset and reconfigure manually.\n\u200d\n\nBlock IPs & Read the Full Analysis\n\nFor payload details, firmware analysis, and attack reconstruction: \n\nRead the full technical analysis.\n\n\u200d\n\nBLOCK MALICIOUS IPS\n\u200d\n\n\u200d\n\n\u200dGreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.\n\nThis article is a summary of the full, in-depth version on the GreyNoise Labs blog.\nRead the full report\n\n:::\n",
                "mediaType": "text\/markdown"
            },
            "published": "2025-06-01T20:23:11.793549Z",
            "tag": [
                {
                    "href": "https:\/\/lemm.ee\/u\/schizoidman",
                    "name": "@schizoidman@lemm.ee",
                    "type": "Mention"
                }
            ],
            "distinguished": false,
            "language": {
                "identifier": "en",
                "name": "English"
            },
            "audience": "https:\/\/lemmy.ml\/c\/privacy",
            "attachment": []
        },
        "cc": [
            "https:\/\/lemmy.ml\/c\/privacy",
            "https:\/\/lemm.ee\/u\/schizoidman"
        ],
        "tag": [
            {
                "href": "https:\/\/lemm.ee\/u\/schizoidman",
                "name": "@schizoidman@lemm.ee",
                "type": "Mention"
            }
        ],
        "type": "Create",
        "audience": "https:\/\/lemmy.ml\/c\/privacy"
    },
    "cc": [
        "https:\/\/lemmy.ml\/c\/privacy\/followers"
    ],
    "type": "Announce",
    "id": "https:\/\/lemmy.ml\/activities\/announce\/create\/9f7769aa-74e9-4cb4-9990-da3bedf5e9d7"
}

Raw

{"@context":["https://join-lemmy.org/context.json","https://www.w3.org/ns/activitystreams"],"actor":"https://lemmy.ml/c/privacy","to":["https://www.w3.org/ns/activitystreams#Public"],"object":{"id":"https://hexbear.net/activities/create/cab754df-fcaa-41a0-bb75-0cc9eed15c45","actor":"https://hexbear.net/u/stupid_asshole69","@context":["https://join-lemmy.org/context.json","https://www.w3.org/ns/activitystreams"],"to":["https://www.w3.org/ns/activitystreams#Public"],"object":{"type":"Note","id":"https://hexbear.net/comment/6202373","attributedTo":"https://hexbear.net/u/stupid_asshole69","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://lemmy.ml/c/privacy","https://lemm.ee/u/schizoidman"],"content":"<p>The source the article is based on:</p>\n<details><summary>spoiler</summary><p>___\nGreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet.\nThe tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.\n‍The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.\n‍The activity was uncovered by Sift — GreyNoise’s proprietary AI-powered network payload analysis tool — in combination with fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid. These tools enabled us to detect subtle exploitation attempts buried in global traffic and reconstruct the full attack sequence.\n‍Read the full technical analysis.\n‍\nTimeline of Events\nMarch 17, 2025: GreyNoise’s proprietary AI technology, Sift, observes anomalous traffic.<br />\nMarch 18, 2025: GreyNoise researchers become aware of Sift report and begin investigating.\nMarch 23, 2025: Disclosure deferred as we coordinated the findings with government and industry partners.<br />\nMay 22, 2025: Sekoia announces compromise of ASUS routers as part of ‘ViciousTrap.’\nMay 28, 2025: GreyNoise publishes this blog.\n‍\nSummary of Findings\nThousands of ASUS routers are confirmed compromised, with the number steadily increasing.\nAttackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.\nAttackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.\nThey use legitimate ASUS features to:\nEnable SSH access on a custom port (TCP/53282).\nInsert attacker-controlled public key for remote access.\nThe backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots.\nNo malware is installed, and router logging is disabled to evade detection.\nThe techniques used reflect long-term access planning and a high level of system knowledge.\n‍\nHow GreyNoise Found It\nThe campaign was surfaced by Sift, GreyNoise’s AI-powered analysis tool for detecting novel and anomalous network activity. Sift flagged just three HTTP POST requests — targeting ASUS router endpoints — for deeper inspection.\nThese payloads were only observed on our fully emulated ASUS profiles running factory firmware. This infrastructure allowed GreyNoise to:\nCapture full PCAP of the requests and router behavior.\nReproduce the attack in a controlled environment.\nConfirm how the backdoor is installed and how it persists.<br />\nWithout emulated profiles and deep inspection, this attack would likely have remained invisible. The attacker disables logging and uses official router features, leaving few traces.\n‍\nConfirmed Exploitation Chain\n1. Initial Access\nBrute-force login attempts.\nTwo authentication bypass techniques (no CVEs assigned).\n‍\n2. Command Execution\nExploitation of CVE-2023-39780 to run arbitrary commands.\n‍\n3. Persistence\nSSH access is enabled via official ASUS settings.\nAttacker inserts a custom public SSH key.\nConfiguration is stored in NVRAM, not on disk.\n‍\n4. Stealth\nLogging is disabled before persistence is established.\nNo malware is left behind.\n‍\nScope and Visibility\nAs of May 27, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys — a platform that continuously maps and monitors internet-facing assets across the global internet. Censys reveals what’s exposed; GreyNoise shows which of those assets are being actively targeted.\nThe number of affected hosts is growing.\nGreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating.\n‍\nIndicators of Compromise\n‍\nIP addresses involved in this activity:\n101.99.91.151\n101.99.94.173\n79.141.163.179<br />\n111.90.146.237\nCOPY\n‍\nBLOCK MALICIOUS IPS\n‍\nBackdoor port:\nTCP/53282\nCOPY\n‍\nAttacker SSH public key (truncated):\nssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…\nCOPY\n‍\nHas ASUS Released a Patch?\nASUS patched CVE-2023-39780 in a recent firmware update.\nThe initial login bypass techniques are patched but do not have assigned CVEs.\nThe attacker’s SSH configuration changes are not removed by firmware upgrades.\nIf a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.\n‍\nRecommendations\nCheck ASUS routers for SSH access on TCP/53282.\nReview the authorized_keys file for unauthorized entries.\nBlock the four IPs listed above.\nIf compromise is suspected, perform a full factory reset and reconfigure manually.\n‍\nBlock IPs &amp; Read the Full Analysis\nFor payload details, firmware analysis, and attack reconstruction:\nRead the full technical analysis.\n‍\nBLOCK MALICIOUS IPS\n‍\n‍\n‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.\nThis article is a summary of the full, in-depth version on the GreyNoise Labs blog.\nRead the full report\n</p></details>\n","inReplyTo":"https://lemm.ee/post/65299660","mediaType":"text/html","source":{"content":"The source the article is based on:\n::: spoiler spoiler\n___\n\nGreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet. \n\nThe tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary. \n\n‍The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features. \n\n‍The activity was uncovered by Sift — GreyNoise’s proprietary AI-powered network payload analysis tool — in combination with fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid. These tools enabled us to detect subtle exploitation attempts buried in global traffic and reconstruct the full attack sequence. \n\n‍Read the full technical analysis. \n\n‍\n\nTimeline of Events\n\nMarch 17, 2025: GreyNoise’s proprietary AI technology, Sift, observes anomalous traffic.  \n\nMarch 18, 2025: GreyNoise researchers become aware of Sift report and begin investigating.\n\nMarch 23, 2025: Disclosure deferred as we coordinated the findings with government and industry partners.   \n\nMay 22, 2025: Sekoia announces compromise of ASUS routers as part of ‘ViciousTrap.’\n\nMay 28, 2025: GreyNoise publishes this blog. \n\n‍\n\nSummary of Findings\n\nThousands of ASUS routers are confirmed compromised, with the number steadily increasing. \nAttackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs. \nAttackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.\nThey use legitimate ASUS features to: \nEnable SSH access on a custom port (TCP/53282).\nInsert attacker-controlled public key for remote access.\nThe backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots. \nNo malware is installed, and router logging is disabled to evade detection. \nThe techniques used reflect long-term access planning and a high level of system knowledge. \n‍\n\nHow GreyNoise Found It\n\nThe campaign was surfaced by Sift, GreyNoise’s AI-powered analysis tool for detecting novel and anomalous network activity. Sift flagged just three HTTP POST requests — targeting ASUS router endpoints — for deeper inspection. \n\nThese payloads were only observed on our fully emulated ASUS profiles running factory firmware. This infrastructure allowed GreyNoise to:\n\nCapture full PCAP of the requests and router behavior. \nReproduce the attack in a controlled environment.\nConfirm how the backdoor is installed and how it persists.  \nWithout emulated profiles and deep inspection, this attack would likely have remained invisible. The attacker disables logging and uses official router features, leaving few traces. \n\n‍\n\nConfirmed Exploitation Chain\n\n1. Initial Access\n\nBrute-force login attempts. \nTwo authentication bypass techniques (no CVEs assigned).\n‍\n\n2. Command Execution \n\nExploitation of CVE-2023-39780 to run arbitrary commands.\n‍\n\n3. Persistence \n\nSSH access is enabled via official ASUS settings.\nAttacker inserts a custom public SSH key.\nConfiguration is stored in NVRAM, not on disk.\n‍\n\n4. Stealth\n\nLogging is disabled before persistence is established. \nNo malware is left behind.\n‍\n\nScope and Visibility \n\nAs of May 27, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys — a platform that continuously maps and monitors internet-facing assets across the global internet. Censys reveals what’s exposed; GreyNoise shows which of those assets are being actively targeted. \nThe number of affected hosts is growing. \nGreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating. \n‍\n\nIndicators of Compromise\n\n‍\n\nIP addresses involved in this activity: \n\n101.99.91.151\n101.99.94.173 \n79.141.163.179   \n111.90.146.237\nCOPY\n‍\n\nBLOCK MALICIOUS IPS\n‍\n\nBackdoor port: \n\nTCP/53282\nCOPY\n‍\n\nAttacker SSH public key (truncated):\n\nssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ... \nCOPY\n‍\n\nHas ASUS Released a Patch?\n\nASUS patched CVE-2023-39780 in a recent firmware update. \nThe initial login bypass techniques are patched but do not have assigned CVEs.\nThe attacker’s SSH configuration changes are not removed by firmware upgrades. \nIf a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed. \n\n‍\n\nRecommendations \n\nCheck ASUS routers for SSH access on TCP/53282. \nReview the authorized_keys file for unauthorized entries.\nBlock the four IPs listed above.\nIf compromise is suspected, perform a full factory reset and reconfigure manually.\n‍\n\nBlock IPs & Read the Full Analysis\n\nFor payload details, firmware analysis, and attack reconstruction: \n\nRead the full technical analysis.\n\n‍\n\nBLOCK MALICIOUS IPS\n‍\n\n‍\n\n‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.\n\nThis article is a summary of the full, in-depth version on the GreyNoise Labs blog.\nRead the full report\n\n:::\n","mediaType":"text/markdown"},"published":"2025-06-01T20:23:11.793549Z","tag":[{"href":"https://lemm.ee/u/schizoidman","name":"@schizoidman@lemm.ee","type":"Mention"}],"distinguished":false,"language":{"identifier":"en","name":"English"},"audience":"https://lemmy.ml/c/privacy","attachment":[]},"cc":["https://lemmy.ml/c/privacy","https://lemm.ee/u/schizoidman"],"tag":[{"href":"https://lemm.ee/u/schizoidman","name":"@schizoidman@lemm.ee","type":"Mention"}],"type":"Create","audience":"https://lemmy.ml/c/privacy"},"cc":["https://lemmy.ml/c/privacy/followers"],"type":"Announce","id":"https://lemmy.ml/activities/announce/create/9f7769aa-74e9-4cb4-9990-da3bedf5e9d7"}

Response

Response Headers

Header Value
cache-control 
"no-cache, private"
content-type 
"application/activity+json"
date 
"Sun, 01 Jun 2025 20:23:55 GMT"
x-debug-token 
"dc49e9"

Cookies

Request Cookies

No request cookies

Response Cookies

No response cookies

Session 1

Session Metadata

No session metadata

Session Attributes

No session attributes

Session Usage

1 Usages
Stateless check enabled
Usage
Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage:41
Show trace 
[
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-core/Authentication/Token/Storage/UsageTrackingTokenStorage.php"
    "line" => 41
    "function" => "getMetadataBag"
    "class" => "Symfony\Component\HttpFoundation\Session\Session"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-http/Authenticator/RememberMeAuthenticator.php"
    "line" => 69
    "function" => "getToken"
    "class" => "Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-http/Authentication/AuthenticatorManager.php"
    "line" => 111
    "function" => "supports"
    "class" => "Symfony\Component\Security\Http\Authenticator\RememberMeAuthenticator"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-http/Firewall/AuthenticatorManagerListener.php"
    "line" => 34
    "function" => "supports"
    "class" => "Symfony\Component\Security\Http\Authentication\AuthenticatorManager"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-http/Authenticator/Debug/TraceableAuthenticatorManagerListener.php"
    "line" => 40
    "function" => "supports"
    "class" => "Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-bundle/Debug/WrappedLazyListener.php"
    "line" => 38
    "function" => "supports"
    "class" => "Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-http/Firewall/AbstractListener.php"
    "line" => 25
    "function" => "supports"
    "class" => "Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-bundle/Security/LazyFirewallContext.php"
    "line" => 60
    "function" => "__invoke"
    "class" => "Symfony\Component\Security\Http\Firewall\AbstractListener"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php"
    "line" => 80
    "function" => "__invoke"
    "class" => "Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/security-http/Firewall.php"
    "line" => 95
    "function" => "callListeners"
    "class" => "Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/event-dispatcher/Debug/WrappedListener.php"
    "line" => 116
    "function" => "onKernelRequest"
    "class" => "Symfony\Component\Security\Http\Firewall"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/event-dispatcher/EventDispatcher.php"
    "line" => 220
    "function" => "__invoke"
    "class" => "Symfony\Component\EventDispatcher\Debug\WrappedListener"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/event-dispatcher/EventDispatcher.php"
    "line" => 56
    "function" => "callListeners"
    "class" => "Symfony\Component\EventDispatcher\EventDispatcher"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php"
    "line" => 139
    "function" => "dispatch"
    "class" => "Symfony\Component\EventDispatcher\EventDispatcher"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/http-kernel/HttpKernel.php"
    "line" => 157
    "function" => "dispatch"
    "class" => "Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/http-kernel/HttpKernel.php"
    "line" => 76
    "function" => "handleRaw"
    "class" => "Symfony\Component\HttpKernel\HttpKernel"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/http-kernel/Kernel.php"
    "line" => 197
    "function" => "handle"
    "class" => "Symfony\Component\HttpKernel\HttpKernel"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php"
    "line" => 35
    "function" => "handle"
    "class" => "Symfony\Component\HttpKernel\Kernel"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/vendor/autoload_runtime.php"
    "line" => 29
    "function" => "run"
    "class" => "Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner"
    "type" => "->"
  ]
  [
    "file" => "/var/www/kbin/kbin/public/index.php"
    "line" => 7
    "args" => [
      "/var/www/kbin/kbin/vendor/autoload_runtime.php"
    ]
    "function" => "require_once"
  ]
]

Flashes

Flashes

No flash messages were created.

Server Parameters

Server Parameters

Defined in .env

Key Value
APP_ENV 
"dev"
APP_SECRET 
"82ce1339a6c267e28d1f1dcb37a7454c"
CORS_ALLOW_ORIGIN 
"^https?://(kbin.localhost|127\.0\.0\.1)(:[0-9]+)?$"
DATABASE_URL 
"postgresql://kbin:917eaa3d703f19d123@127.0.0.1:5433/kbin?serverVersion=15&charset=utf8"
HCAPTCHA_SECRET 
""
HCAPTCHA_SITE_KEY 
""
JWT_PASSPHRASE 
""
JWT_PUBLIC_KEY 
"%kernel.project_dir%/config/jwt/public.pem"
JWT_SECRET_KEY 
"%kernel.project_dir%/config/jwt/private.pem"
KBIN_ADMIN_ONLY_OAUTH_CLIENTS 
"false"
KBIN_API_ITEMS_PER_PAGE 
"25"
KBIN_CAPTCHA_ENABLED 
"false"
KBIN_CONTACT_EMAIL 
"kbin@j0h.nl"
KBIN_DEFAULT_LANG 
"en"
KBIN_DOMAIN 
"kbin.spritesserver.nl"
KBIN_FEDERATION_ENABLED 
"true"
KBIN_FEDERATION_PAGE_ENABLED 
"true"
KBIN_HEADER_LOGO 
"false"
KBIN_JS_ENABLED 
"true"
KBIN_META_DESCRIPTION 
"a private kbin install"
KBIN_META_KEYWORDS 
"kbin, content agregator, open source, fediverse"
KBIN_META_TITLE 
"Sprites kbin instance"
KBIN_REGISTRATIONS_ENABLED 
"true"
KBIN_SENDER_EMAIL 
"kbin@j0h.nl"
KBIN_STORAGE_URL 
"https://kbin.spritesserver.nl/media/"
KBIN_TITLE 
"/kbin"
LOCK_DSN 
"flock"
MAILER_DSN 
"smtp://spritesmods.com"
MERCURE_JWT_SECRET 
"231e9a1277f5585d52aa0b1e34c0f984xxxx"
MERCURE_PUBLIC_URL 
"https://kbin.spritesserver.nl/.well-known/mercure"
MERCURE_URL 
"http://localhost:3000/.well-known/mercure"
MESSENGER_TRANSPORT_DSN 
"doctrine://default"
OAUTH_FACEBOOK_ID 
""
OAUTH_FACEBOOK_SECRET 
""
OAUTH_GITHUB_ID 
""
OAUTH_GITHUB_SECRET 
""
OAUTH_GOOGLE_ID 
""
OAUTH_GOOGLE_SECRET 
""
POSTGRES_DB 
"kbin"
POSTGRES_PASSWORD 
"917eaa3d703f19d123"
POSTGRES_USER 
"kbin"
POSTGRES_VERSION 
"15"
REDIS_DNS 
"redis://uSJBDOQfuOMgt8kyGhpUzViTnQSEdEJTsOIsYSsg3v40v@localhost"
REDIS_PASSWORD 
"uSJBDOQfuOMgt8kyGhpUzViTnQSEdEJTsOIsYSsg3v40v"
S3_BUCKET 
"media.karab.in"
S3_KEY 
""
S3_REGION 
"eu-central-1"
S3_SECRET 
""
S3_VERSION 
"latest"

Defined as regular env variables

Key Value
APP_DEBUG 
"1"
CONTENT_LENGTH 
"13599"
CONTENT_TYPE 
"application/activity+json"
CONTEXT_DOCUMENT_ROOT 
"/var/www/kbin/kbin/public"
CONTEXT_PREFIX 
""
DOCUMENT_ROOT 
"/var/www/kbin/kbin/public"
GATEWAY_INTERFACE 
"CGI/1.1"
HTTPS 
"on"
HTTP_ACCEPT 
"*/*"
HTTP_ACCEPT_ENCODING 
"gzip"
HTTP_DATE 
"Sun, 01 Jun 2025 20:23:55 GMT"
HTTP_DIGEST 
"SHA-256=A+Uz1Ndi5HMzEwuiYWHI22wmGxJP+isxTKvhBddtB5g="
HTTP_HOST 
"kbin.spritesserver.nl"
HTTP_SIGNATURE 
"keyId="https://lemmy.ml/c/privacy#main-key",algorithm="hs2019",headers="(request-target) content-type date digest host",signature="w/df/JltsDocyQRSN0x0UU1L6z+Ai3k3Xxk31wpxfdKTCz7cBh39G7hO3uC6UVJVa70gYDhtSM7oY6Iz5QPvwkz0XdDbhOK9vho5dCk+6+mg5WSHezSONDVUDV5wi3EFahfo9HRYUr6JkOLbALOE3Flscf2EbkXeULa13Vz5CIu6tTFC/xuPkpylF5YlZ4RQXNZitRcRjnDFrC5txOrYbKKHPFKh+jeSwNkYdJGQTa8KLvBp7ED4HQCjpjrbf1brgG+H36/bqGpohatvpTbT3nYXBnK6RIzCZ2nXvOuEjvqsuCZtBMhxPSB3GNfZpi4nylfMlRzWTjbDvHUdN0+ozA==""
HTTP_USER_AGENT 
"Lemmy/0.19.12-beta.8; +https://lemmy.ml"
PATH 
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
PHP_SELF 
"/index.php"
QUERY_STRING 
""
REDIRECT_HTTPS 
"on"
REDIRECT_SSL_CIPHER 
"TLS_AES_256_GCM_SHA384"
REDIRECT_SSL_CIPHER_ALGKEYSIZE 
"256"
REDIRECT_SSL_CIPHER_EXPORT 
"false"
REDIRECT_SSL_CIPHER_USEKEYSIZE 
"256"
REDIRECT_SSL_CLIENT_VERIFY 
"NONE"
REDIRECT_SSL_COMPRESS_METHOD 
"NULL"
REDIRECT_SSL_PROTOCOL 
"TLSv1.3"
REDIRECT_SSL_SECURE_RENEG 
"true"
REDIRECT_SSL_SERVER_A_KEY 
"rsaEncryption"
REDIRECT_SSL_SERVER_A_SIG 
"sha256WithRSAEncryption"
REDIRECT_SSL_SERVER_I_DN 
"CN=R10,O=Let's Encrypt,C=US"
REDIRECT_SSL_SERVER_I_DN_C 
"US"
REDIRECT_SSL_SERVER_I_DN_CN 
"R10"
REDIRECT_SSL_SERVER_I_DN_O 
"Let's Encrypt"
REDIRECT_SSL_SERVER_M_SERIAL 
"05BC012BFCA0DD2ABABFC84B9630E756CB3B"
REDIRECT_SSL_SERVER_M_VERSION 
"3"
REDIRECT_SSL_SERVER_SAN_DNS_0 
"kbin.spritesserver.nl"
REDIRECT_SSL_SERVER_S_DN 
"CN=kbin.spritesserver.nl"
REDIRECT_SSL_SERVER_S_DN_CN 
"kbin.spritesserver.nl"
REDIRECT_SSL_SERVER_V_END 
"Aug 27 21:01:45 2025 GMT"
REDIRECT_SSL_SERVER_V_START 
"May 29 21:01:46 2025 GMT"
REDIRECT_SSL_SESSION_ID 
"83532e35fe7dc96ae43299532df218119e88cdcec380afa759cbcb1a59ab108d"
REDIRECT_SSL_SESSION_RESUMED 
"Initial"
REDIRECT_SSL_TLS_SNI 
"kbin.spritesserver.nl"
REDIRECT_SSL_VERSION_INTERFACE 
"mod_ssl/2.4.62"
REDIRECT_SSL_VERSION_LIBRARY 
"OpenSSL/3.0.16"
REDIRECT_STATUS 
"200"
REDIRECT_URL 
"/f/inbox"
REMOTE_ADDR 
"54.36.178.108"
REMOTE_PORT 
"55620"
REQUEST_METHOD 
"POST"
REQUEST_SCHEME 
"https"
REQUEST_TIME 
1748809435
REQUEST_TIME_FLOAT 
1748809435.6487
REQUEST_URI 
"/f/inbox"
SCRIPT_FILENAME 
"/var/www/kbin/kbin/public/index.php"
SCRIPT_NAME 
"/index.php"
SERVER_ADDR 
"5.9.62.165"
SERVER_ADMIN 
"webmaster@spritesmods.com"
SERVER_NAME 
"kbin.spritesserver.nl"
SERVER_PORT 
"443"
SERVER_PROTOCOL 
"HTTP/1.1"
SERVER_SIGNATURE 
""
SERVER_SOFTWARE 
"Apache"
SSL_CIPHER 
"TLS_AES_256_GCM_SHA384"
SSL_CIPHER_ALGKEYSIZE 
"256"
SSL_CIPHER_EXPORT 
"false"
SSL_CIPHER_USEKEYSIZE 
"256"
SSL_CLIENT_VERIFY 
"NONE"
SSL_COMPRESS_METHOD 
"NULL"
SSL_PROTOCOL 
"TLSv1.3"
SSL_SECURE_RENEG 
"true"
SSL_SERVER_A_KEY 
"rsaEncryption"
SSL_SERVER_A_SIG 
"sha256WithRSAEncryption"
SSL_SERVER_I_DN 
"CN=R10,O=Let's Encrypt,C=US"
SSL_SERVER_I_DN_C 
"US"
SSL_SERVER_I_DN_CN 
"R10"
SSL_SERVER_I_DN_O 
"Let's Encrypt"
SSL_SERVER_M_SERIAL 
"05BC012BFCA0DD2ABABFC84B9630E756CB3B"
SSL_SERVER_M_VERSION 
"3"
SSL_SERVER_SAN_DNS_0 
"kbin.spritesserver.nl"
SSL_SERVER_S_DN 
"CN=kbin.spritesserver.nl"
SSL_SERVER_S_DN_CN 
"kbin.spritesserver.nl"
SSL_SERVER_V_END 
"Aug 27 21:01:45 2025 GMT"
SSL_SERVER_V_START 
"May 29 21:01:46 2025 GMT"
SSL_SESSION_ID 
"83532e35fe7dc96ae43299532df218119e88cdcec380afa759cbcb1a59ab108d"
SSL_SESSION_RESUMED 
"Initial"
SSL_TLS_SNI 
"kbin.spritesserver.nl"
SSL_VERSION_INTERFACE 
"mod_ssl/2.4.62"
SSL_VERSION_LIBRARY 
"OpenSSL/3.0.16"
SYMFONY_DOTENV_VARS 
"KBIN_DOMAIN,KBIN_TITLE,KBIN_DEFAULT_LANG,KBIN_FEDERATION_ENABLED,KBIN_CONTACT_EMAIL,KBIN_SENDER_EMAIL,KBIN_JS_ENABLED,KBIN_REGISTRATIONS_ENABLED,KBIN_API_ITEMS_PER_PAGE,KBIN_STORAGE_URL,KBIN_META_TITLE,KBIN_META_DESCRIPTION,KBIN_META_KEYWORDS,KBIN_HEADER_LOGO,KBIN_CAPTCHA_ENABLED,KBIN_FEDERATION_PAGE_ENABLED,REDIS_PASSWORD,REDIS_DNS,S3_KEY,S3_SECRET,S3_BUCKET,S3_REGION,S3_VERSION,OAUTH_FACEBOOK_ID,OAUTH_FACEBOOK_SECRET,OAUTH_GOOGLE_ID,OAUTH_GOOGLE_SECRET,OAUTH_GITHUB_ID,OAUTH_GITHUB_SECRET,KBIN_ADMIN_ONLY_OAUTH_CLIENTS,APP_ENV,APP_SECRET,POSTGRES_DB,POSTGRES_USER,POSTGRES_PASSWORD,POSTGRES_VERSION,DATABASE_URL,MESSENGER_TRANSPORT_DSN,MAILER_DSN,MERCURE_URL,MERCURE_PUBLIC_URL,MERCURE_JWT_SECRET,CORS_ALLOW_ORIGIN,LOCK_DSN,JWT_SECRET_KEY,JWT_PUBLIC_KEY,JWT_PASSPHRASE,HCAPTCHA_SITE_KEY,HCAPTCHA_SECRET"