Monitoring SSH access is the only protection: As upgrading the firmware doesn’t guarantee protection, admins are recommended to keep checking for unauthorized SSH access, particularly on TCP port 53282, which the botnet uses for persistent remote control.Additionally, checking the filesystem for a /tmp/BWSQL_LOG file can help detect attackers’ abuse of the logging feature. Changing default login credentials can prove effective, too, as brute-force attacks are part of the initial infection method. GreyNoise shared a list of indicators (IoC) to set detection for, including IPs, malicious filenames, and SSH-RSA keys.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3999326/new-botnet-hijacks-ai-powered-security-tool-on-asus-routers.html
