ASUS warns of Cyclops Blink malware attacks targeting routers

A number of ASUS router models are susceptible to the Russia-connected Cyclops Blink malware risk, leading to the vendor to publish an advisory with mitigations for the protection chance.

Cyclops Blink is a malware linked to the Russian-backed Sandworm hacking group that has historically qualified WatchGuard Firebox and other SOHO network gadgets.

The role of Cyclops Blink is to create persistence for menace actors on the product, making it possible for them a position of remote accessibility to compromised networks.

Due to the fact Cyclops Blink is modular, it can be conveniently current to target new gadgets, regularly refreshing its scope and tapping into new swimming pools of exploitable components.

Cyclops Blink now targets ASUS routers

In a coordinated disclosure, Development Micro warned that the malware features a specialized module that targets a number of ASUS routers, allowing for the malware to browse the flash memory to assemble data about important data files, executables, knowledge, and libraries.

The malware then receives a command to nest in the flash memory and establish everlasting persistence, as this storage area isn’t going to get wiped even by factory resets.

For far more details on the ASUS module of Cyclops Blink, Trend Micro has posted a technical writeup right now detailing how it performs.

Module's code for writing to flash memory
Module’s code for composing to flash memory (Trend Micro)

At this level, the distribute of Cyclops Blink appears indiscriminate and popular, so it does not subject if you consider your self a legitimate goal or not.

As the malware is tied to the elite Sandworm hacking group (also tracked as Voodoo Bear, BlackEnergy, and TeleBots), we will likely see the threat actors focusing on other router manufacturers in the foreseeable future.

Sandworm has been linked to other perfectly-recognized cyberattacks, including the BlackEnergy malware powering the Ukrainian blackouts of 2015 and 2016 [123] and the NotPetya ransomware, which led to billions truly worth of harm to organizations all over the world setting up in June 2017.

Susceptible ASUS equipment

In an advisory unveiled today, ASUS warns that the next router models and firmware variations are vulnerable to Cyclops Blink attacks:

  • GT-AC5300 firmware less than 3…4.386.xxxx
  • GT-AC2900 firmware less than 3…4.386.xxxx
  • RT-AC5300 firmware below 3…4.386.xxxx
  • RT-AC88U firmware less than 3…4.386.xxxx
  • RT-AC3100 firmware underneath 3…4.386.xxxx
  • RT-AC86U firmware underneath 3…4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware beneath 3…4.386.xxxx
  • RT-AC66U_B1 firmware beneath 3…4.386.xxxx
  • RT-AC3200 firmware less than 3…4.386.xxxx
  • RT-AC2900 firmware less than 3…4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware underneath 3…4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)

At this time, ASUS has not launched new firmware updates to protect from Cyclops Blink but have released the pursuing mitigations that can be used to protected units:

  • Reset the machine to factory default: Login into the world-wide-web GUI, go to Administration → Restore/Preserve/Add Location, click the “Initialize all the setting and distinct all the data log,” and then click on Restore button.”
  • Update to the hottest available firmware.
  • Assure the default admin password has been improved to a a lot more secure 1.
  • Disable Distant Management (disabled by default, can only be enabled by way of Innovative Configurations).

If you are applying any of the a few types selected as EOL (close of everyday living), take note that these are no extended supported and so would not obtain a firmware security update. In this case, you are proposed to replace your machine with a new just one.

If you own WatchGuard network devices and are searching for that advisory alternatively, you can come across the vendor’s danger mitigation suggestions on this webpage.