"GreyNoise's VP of data science, Bob Rudis, said at the time that the attack had all the hallmarks of "an advanced, well-resourced adversary," and suggested that "one of the Typhoons" - Chinese state-sponsored cyber espionage crews - may be behind it."
""This leads us to speculate that WrtHug and AyySSHush may be a single, evolving campaign or two separate campaigns from the same actor," the team's report stated. "It could also be two campaigns from coordinated actors. For the time being, we lack substantial evidence beyond the shared vulnerability to support these speculations. We will continue to track Operation WrtHug as a separate campaign until such evidence arises.""
Operation WrtHug compromised around 50,000 end-of-life ASUS WRT routers by exploiting six known vulnerabilities. Four 2023 command-injection CVEs (CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348) were rated 8.8. Additional exploited flaws include CVE-2024-12912 (7.2) and CVE-2025-2492 (9.2). Most confirmed compromises are concentrated in Taiwan and Southeast Asia, with minimal impact in mainland China, Russia, and the United States. The 2023 flaws are linked to CVE-2023-39780, previously used in the AyySSHush operational relay box campaign that affected over 8,000 ASUS routers. The campaigns share vulnerabilities but show limited device overlap, suggesting either an evolving single operation or separate coordinated actors.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]