Cyclops Blink botnet is attacking and actively exploiting Asus routers

TL;DR: A Russian modular botnet called Cyclops Blink is hijacking Asus routers worldwide, reportedly in an attempt to build an army of compromised routers for use in cyberwarfare. The hackers want to use the vulnerable devices as command-and-control (C&C or C2) servers.

Cyclops Blink is a Kremlin-linked malware that has existed since 2019. It is tied to the elite Sandworm hacking group. According to UK's National Cyber Security Centre (NCSC), it initially targeted WatchGuard Firebox devices. Sandworm was linked to other well-known cyber-attacks, like the NotPetya ransomware, which has caused billions of dollars worth of damage globally since June 2017, and the BlackEnergy malware behind the Ukrainian blackouts of 2015-16.

Researchers with Trend Micro note that Cyclops Blink casts a wide net in terms of the devices it infects, with no specific focus on high-value government or diplomatic entities. Hackers compromised some of the infected equipment more than two and a half years ago.

Cyclops Blink attempts to establish persistence for threat actors on the device, creating a point of remote access to compromised networks. Due to its modular design, it can easily be updated to target new devices. It has recently gained a new module allowing it to attack Asus routers.

Trend Micro notes that the targets do not appear to be of particular value for cyberwarfare.

"It should be noted that these victims do not appear to be evidently valuable targets for either economic, military, or political espionage. For example, some of the live C&Cs are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States … The purpose of this botnet is still unclear: Whether it is intended to be used for distributed denial-of-service (DDoS) attacks, espionage, or proxy networks remains to be seen. But what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure."

Researchers believe there is another vendor with compromised firmware, but unfortunately, they cannot identify the vendor yet.

Cyclops Blink uses hard-coded TCP ports to communicate with C&C servers. For every port, it makes a new rule in the Netfilter Linux kernel firewall to allow output communication to it. Once a connection is established, the malware initializes an OpenSSL library, and its core component then executes a set of hard-coded modules. The malware then pushes various parameters to these modules, which return data that the core component encrypts using OpenSSL functions before sending it back to the C2 server.

Trend Micro believes the malware is the successor to the VPNFilter malware from 2018. It, too, was designed to infect routers and networked devices to siphon data and compromise them for future use.

The new Asus module is built to access and replace a router's flash memory. The botnet reads 80 bytes from the flash memory, writes it to the main communication pipe, and then waits for a command with the data needed to replace the content. A second module gathers data from the infected device and sends it to the C2 server. A third module, "file download (0x0f)," downloads files from the internet using DNS over HTTPS (DoH).

Affected Asus model numbers and their firmware details are as follows:

  • GT-AC5300
  • GT-AC2900
  • RT-AC5300
  • RT-AC88U
  • RT-AC3100
  • RT-AC86U
  • RT-AC68U
  • AC68R
  • AC68W
  • AC68P
  • RT-AC66U_B1
  • RT-AC3200
  • RT-AC2900
  • RT-AC1900P
  • RT-AC1900P
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)

As of publication, Asus has not released new firmware updates but has released the following mitigation instructions:

  • Reset the device to factory default: Login into the web GUI, go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log," and then click Restore button."
  • Update to the latest available firmware.
  • Ensure the default admin password has been changed to a more secure one.
  • Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

The three models designated as EOL (end of life) are no longer supported and won't receive any firmware security updates. Asus recommends buying a new one.

The related security advisory for WatchGuard network devices can be found on WatchGuard's website.

Permalink to story.

 

Dimitriid

Posts: 2,216   +4,268
You know I remember buying my own routers probably 18 to 20 years ago or so. The default wasn't to get a gateway (In fact, we're past even using the term gateway as almost all "modems" provided by ISPs today are actually gateways: both modem and routing) so you had to get a router and more importantly, you had to configure it.

It wouldn't *just* work out of the box you had to set up the type of connection your ISP had, if you wanted wireless or not, routers prompted you to change your default password before you could actually finish setting up DHCP (If you even opted to you could opt out) and the type of connection you had: DSL or cable and generally cable modems where set up to just share internet with the router but not DSL modems so you had to specify the type of DSL connection to negotiate, etc.

Essentially we had no smartphones or tables, or IoT devices whatsoever: the default ISP support didn't even consider more than one device and often only trained their support to configure a single connection on a single computer and everything else well you had to know what you were doing or at least RTFM was something we took seriously.

Now most routing gateways with included wireless access point ISPs provide "Just work" and don't even prompt users to create their own wireless password (Yes: you had to do that in the past) You can even just go push a physical button once Windows or your phone prompt you so you don't even need to know the default gateway password.

Do you see how this is a problem today? We not only made it easy for most users to not having to know a single thing about their home networks, we also made it super-duper-extra easy for anyone to create vast botnets.
 

VitalyT

Posts: 6,275   +6,843
So now political propaganda has made its way into technical news. Blame Russia for everything, because that's the campaign that US purchased for their world domination program.
 

Lionvibez

Posts: 2,678   +2,456
I'm using an Asus AX88U which isn't on the list plus I'm using 3rd party firmware from merlin on it.

All of those models use an older code base than what current merlin firmware is using so I'm good.

Added this because the firmware part is missing from the news story post.

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)
 

kiwigraeme

Posts: 1,118   +820
Just asking - wouldn't it be better to have such a modem 2nd in the chain - In NZ - you get the ISP modem/router for free ( no monthly cost- even if you change ISP - they never seem to want it back ) .
As my house is small just using ISP one - though like above - Lionvibez I use to run Tomato when I had a Asus modem - Original routers had no wifi many years ago .
Most office systems - have tight control at the front end
 

STbob

Posts: 45   +18
I'm using an Asus AX88U which isn't on the list plus I'm using 3rd party firmware from merlin on it.

All of those models use an older code base than what current merlin firmware is using so I'm good.

Added this because the firmware part is missing from the news story post.

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)
Keep telling yourself that. False sense of security. I run Merlin too and the 3.00.5.386 is too new to have corrected anything concerning this. Merlin is not in the security business he does not rewrite the firmware.
You only "Hope" you are not affected you do not know. They do not even know how it gets in they only are guessing. Best to at least reset your router. Take screen shots of the config do not reload your saved config.
I have 4 Asus routers and have done it to all of them. Its not guarantee they are safe just that its cleared, does not mean they can't get reinfected.
The AX series are not on the list "Yet" just not enough data to get all warm and fuzzy feeling just yet.
 

Theinsanegamer

Posts: 3,418   +5,728
So now political propaganda has made its way into technical news. Blame Russia for everything, because that's the campaign that US purchased for their world domination program.
Literally in the article: "Trend Micro notes that the targets do not appear to be of particular value for cyberwarfare."

I know reading is hard for you whenever someone is critical of daddy Putin, but come on. It's a literal russian botnet.
Just asking - wouldn't it be better to have such a modem 2nd in the chain - In NZ - you get the ISP modem/router for free ( no monthly cost- even if you change ISP - they never seem to want it back ) .
As my house is small just using ISP one - though like above - Lionvibez I use to run Tomato when I had a Asus modem - Original routers had no wifi many years ago .
Most office systems - have tight control at the front end
Most office systems use managed switches with professionals behind them. It may be surprising, but most home users do not have this type of equipment. The modem from your ISP, if only being used to connect your router to the internet, isnt going to be useful at all in this situation. The malware is targeting routers, not your ISP's modem.
 

STbob

Posts: 45   +18
Literally in the article: "Trend Micro notes that the targets do not appear to be of particular value for cyberwarfare."

I know reading is hard for you whenever someone is critical of daddy Putin, but come on. It's a literal russian botnet.
Most office systems use managed switches with professionals behind them. It may be surprising, but most home users do not have this type of equipment. The modem from your ISP, if only being used to connect your router to the internet, isnt going to be useful at all in this situation. The malware is targeting routers, not your ISP's modem.
I don't know where you get the idea of Most Offices have this or that. I'm in a medical building full of Dr. Offices and most have standard run of the mill routers with comcast or ATT fiber modems in pass-through mode. I think larger corporations but not small offices or even movie theaters. Asus routers are all over the place, I would pick them as a target very common,ripe for the picking. They do not get it, they think they have to have huge targets, no they don't they just need EZ. Those small targets will be used to take out bigger fish later.
 

Lionvibez

Posts: 2,678   +2,456
Keep telling yourself that. False sense of security. I run Merlin too and the 3.00.5.386 is too new to have corrected anything concerning this. Merlin is not in the security business he does not rewrite the firmware.
You only "Hope" you are not affected you do not know. They do not even know how it gets in they only are guessing. Best to at least reset your router. Take screen shots of the config do not reload your saved config.
I have 4 Asus routers and have done it to all of them. Its not guarantee they are safe just that its cleared, does not mean they can't get reinfected.
The AX series are not on the list "Yet" just not enough data to get all warm and fuzzy feeling just yet.

When I see that the AX is listed then I will worry about it.

On the Asus advisory site

(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Remote Management is always turned off on my side aswell and that is needed for this exploit.

So again I'm not worried about it at the moment.
 
Last edited:

Watzupken

Posts: 635   +519
Keep telling yourself that. False sense of security. I run Merlin too and the 3.00.5.386 is too new to have corrected anything concerning this. Merlin is not in the security business he does not rewrite the firmware.
You only "Hope" you are not affected you do not know. They do not even know how it gets in they only are guessing. Best to at least reset your router. Take screen shots of the config do not reload your saved config.
I have 4 Asus routers and have done it to all of them. Its not guarantee they are safe just that its cleared, does not mean they can't get reinfected.
The AX series are not on the list "Yet" just not enough data to get all warm and fuzzy feeling just yet.
The problem is that any sense of security in devices connected to the net is never real. It is just a matter of time people will find some security vulnerability. So this is just part and parcel of life. We are not perfect, and so cannot expect anything that we make to be perfect.