Multiple ASUS router models are vulnerable to the Russia-linked Cyclops Blink malware threat, prompting the vendor to publish a security risk mitigation advisory.
Cyclops Blink is a malware associated with the Russian-backed Sandworm hacking group that has historically targeted WatchGuard Firebox and other SOHO network devices.
Cyclops Blink’s role is to establish persistence for threat actors on the device, giving them a point of remote access to compromised networks.
Because Cyclops Blink is modular, it can be easily updated to target new devices, constantly updating its scope and tapping new sources of exploitable hardware.
Cyclops Blink now targets ASUS routers
In a coordinated disclosure, Trend Micro warned that the malware contains a specialized module targeting various ASUS routers, allowing the malware to read flash memory to gather information about critical files, executables, data and libraries.
The malware is then instructed to burrow into the flash memory and establish permanent persistence as this storage space is not wiped even with factory resets.
For more details on Cyclops Blink’s ASUS module, Trend Micro today published a technical article explaining how it works.
Module code for writing to flash memory (Trend Micro)
At this point, Cyclops Blink’s distribution seems random and widespread, so it doesn’t matter if you consider yourself a legitimate target or not.
Since the malware is linked to the elite Sandworm hacking group (also followed as Voodoo Bear, BlackEnergy, and TeleBots), we will likely see the threat actors target other router manufacturers in the future.
Sandworm has been linked to other known cyberattacks, including the BlackEnergy malware behind the 2015 and 2016 Ukrainian blackouts [1, 2, 3] and the NotPetya ransomware, which has caused billions of dollars in damage to businesses worldwide as of June 2017.
Vulnerable ASUS devices
In an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to Cyclops Blink attacks:
GT-AC5300 Firmware under 18.104.22.168.386.xxxx GT-AC2900 Firmware under 22.214.171.124.386.xxxx RT-AC5300 Firmware under 126.96.36.199.386.xxxx RT-AC88U Firmware under 188.8.131.52.386 .xxxx RT-AC3100 firmware under 184.108.40.206.386.xxxx RT-AC86U firmware under 220.127.116.11.386.xxxx RT-AC68U, AC68R, AC68W, AC68P firmware under 18.104.22.168.386.xxxx RT-AC66U_B1 -firmware under 22.214.171.124.386 .xxxx RT-AC3200 firmware under 126.96.36.199.386.xxxx RT-AC2900 firmware under 188.8.131.52.386.xxxx RT-AC1900P, RT-AC1900P firmware under 184.108.40.206.386.xxxx RT-AC87U (EOL) RT-AC66U (EOL) RT-AC56U (EOL)
At this time, ASUS has not released any new firmware updates to protect against Cyclops Blink, but has released the following fixes that can be used to protect devices:
Reset the device to factory defaults: Log in to the web GUI, go to Administration → Restore/Save/Upload Settings, click “Initialize All Settings and Clear All Data Logs” and then click the Restore button. available firmware Make sure the default administrator password is changed to a more secure password Disable remote management (disabled by default, can only be enabled through advanced settings).
If you are using one of the three models labeled as EOL (end of life), please note that they are no longer supported and therefore will not receive a firmware security update. In this case, it is recommended that you replace your device with a new one.
If you own WatchGuard network devices and are looking for that advice instead, you can find the vendor’s threat mitigation advice on this webpage.
This post ASUS warns of Cyclops Blink malware attacks targeting routers
was original published at “https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/”