[German]The Cyclops Blink botnet has been infecting network devices around the world for several weeks. The botnet is operated by the suspected Russian Sandworm APT. Manufacturer ASUS has issued a warning this week, which is directed at users of its routers. The Cyclops Blink botnet is probably attacking ASUS routers in order to insert them into the botnet. Here is some information about it.
The Cyclops Blink Botnet
The malware and botnet was unknown until recently and is attributed to the Russian espionage and cyber attack group Sandworm (also known as Voodoo Bear). The precursors to the Cyclops Blink malware have been around for three years, with actors previously replacing VPNFilters. Security researchers found in 2018 that this malware infected around 500,000 routers in homes and small offices. It contained a "veritable Swiss Army knife" of features that allowed hackers to eject or manipulate traffic.
NCSC, CISA, FBI and NSA have determined that the Sandworm group is using a new Cyclops Blink malware. I had pointed out the botnet in late February 2022 in the blog post Russian Sandworm Group Responsible for Cyclops Blink Botnet. The Cyclops Blink malware has since infected about 1 percent of network firewall devices from network device manufacturer Watchguard. The malware is able to abuse a legitimate firmware update mechanism in infected devices in such a way that it is persistent, meaning it survives reboots. Notes on this topic can be found in the blog post Cyclops blink malware targets WatchGuard network firewalls.
Security alert for ASUS routers
Blog reader Gerold already left a hint about the security warning here on the blog the days before (thanks a lot) and linked to this article from the colleagues at Bleeping Computer. However, I also came across the hint via the following tweet from Nicolaus Krassas.
In a coordinated disclosure, ASUS and Trend Micro warn that Cyclops Blink malware has a special module that targets multiple ASUS routers, according to this article. This module allows the malware to read flash memory to gather information about important files, executables, data and libraries. The malware is then commanded to nest in the flash memory and stay there permanently, as this memory space is not deleted even during factory resets. The details of the ASUS module of Cyclops Blink, Trend Micro has published an article explaining how the malware works. The colleagues from Bleeping Computer have derived the following list of router models.
- GT-AC5300 Firmware unterhalb Version 3.0.0.4.386.xxxx
- GT-AC2900 Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC5300 Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC88U Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC3100 Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC86U Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC66U_B1 Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC3200 Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC2900 Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC1900P, RT-AC1900P Firmware unterhalb Version 3.0.0.4.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL)
There is this page from ASUS, but it is quite outdated. There do not seem to be any firmware updates yet that close the vulnerabilities exploited by the Cyclops Blink malware. ASUS currently suggests resetting devices to factory defaults, installing the latest firmware and using a secure password to access the management interface as a workaround. Furthermore, the remote management should be disabled, as the colleagues write here.
Similar articles:
Russian Sandworm Group Responsible for Cyclops Blink Botnet
Cyclops blink malware targets WatchGuard network firewalls