Asus has issued a warning to owners of some of its routers asking them to download a recent firmware update to help protect against new malware targeting its products. Asus recommends measures be taken immediately to prevent your network being infected with the botnet malware, known as Cyclops Blink, though is investigating a more permanent fix.
In a security bulletin on the Asus website, the company outlines the best way for users to strengthen their defences against Cyclops Blink. These include: resetting the device to factory default settings, updating the device to the latest firmware version, changing the admin password, and disabling Remote Management (should be disabled by default).
The affected Asus products are:
- GT-AC5300 firmware under 184.108.40.206.386.xxxx
- GT-AC2900 firmware under 220.127.116.11.386.xxxx
- RT-AC5300 firmware under 18.104.22.168.386.xxxx
- RT-AC88U firmware under 22.214.171.124.386.xxxx
- RT-AC3100 firmware under 126.96.36.199.386.xxxx
- RT-AC86U firmware under 188.8.131.52.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 184.108.40.206.386.xxxx
- RT-AC66U_B1 firmware under 220.127.116.11.386.xxxx
- RT-AC3200 firmware under 18.104.22.168.386.xxxx
- RT-AC2900 firmware under 22.214.171.124.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 126.96.36.199.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL)
The products noted as GT are seriously beefy gaming routers, and some of the RT ones are pretty chunky routers, too.
Cyclops Blink is a persistent advanced modular botnet that is tough to shake off once it has a hold on your system. Trend Micro has performed a deep-dive into the malware and exactly how it operates, which I recommend you give a read if you’re into this sort of stuff—it is fascinating to know thy enemy. Essentially, though, it sets up a route of communication between an infected device and the attacker’s servers, and is able to cipher and send data to these servers as it pleases.
In the case of the exact Asus variant of these malware, it can actually access a device’s flash memory. That means it will have pretty much unfettered access to a machine once infected. It also means that the malware can actually survive factory resets. Though as Asus notes, flashing a device should finally be rid of the malware, but how often do most users flash their entire routers?
The malware itself is modular in nature, so it’s assumed that it could be modified by its creators to run on other brands of routers relatively easily.
The botnet is reportedly linked to the Sandstorm or Voodoo Bear advanced persistent threat (APT) groups, says Trend Micro. Those groups have quite a track history: The Sandworm APT group has been linked to the VPNFilter botnet and attacks on the Ukrainian electrical grid, French presidential campaign, and the Winter Olympic games.
The FBI, CISA, US Department of Justice, and UK National Cyber Security Centre all jointly warned about the threat of Cyclops Blink last month.
“The malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink,” the joint statement reads (via The Register). Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.”
This sounds like a malware you don’t want to meddle with. As ever, updating your PC’s drivers to the latest is the best form of defence in most cases—short of disconnecting your whole PC from the internet, of course. However, I do believe there are sure to be many routers that haven’t seen a patch in their life, and that’s why it’s really important that users with those affected devices heed this call.