News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

[XIII]

This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet.

Cyclops Blink Sets Sights on Asus Routers

www.trendmicro.com

 

[XIII]

ASUS Product Security Advisory:

03/17/2022 Security Advisory for Cyclops Blink
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI(http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button”
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products

GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)

Please note that if you choose not to install this new firmware version then, to avoid any potential unwanted intrusion, we strongly recommend that you disable remote access from WAN and reset your router to its default settings.

If you have already installed the latest firmware version, please disregard this notice.

Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system:
https://www.asus.com/securityadvisory

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

 

[AndreiV]

The HoneyPots are going crazy :


Project HaaS

Honeypot as a Service - Home

Honeypot as a Service

haas.nic.cz

Sentinel View ( presentation of attacks)

Overview | Sentinel View

view.sentinel.turris.cz

See the graphs :

Incidents | Sentinel View

view.sentinel.turris.cz

Greylist of attackers available for download .

Index of /greylist-data/

 

[cptnoblivious]

So it sounds like you need firmware at or above 3.0.0.4.386.xxxx

Or any of the 386 based Merlin versions?

 

[dave14305]

So it sounds like you need firmware at or above 3.0.0.4.386.xxxx

Or any of the 386 based Merlin versions?

I’m guessing xxxx is a placeholder until they publish a new firmware.

 

[cptnoblivious]

I’m guessing xxxx is a placeholder until they publish a new firmware.

I'm wondering about that because it says affected version are below .386.xxxx, so anything with .386.wxyz should be fixed.

 

[dave14305]

I'm wondering about that because it says affected version are below .386.xxxx, so anything with .386.wxyz should be fixed.

I’m assuming the worst that everything is vulnerable until the next Asus firmware release. But there isn’t any public information about the attack vector, AFAIK. Just broad recommendations to reset to defaults, flash latest firmware, and disable remote WAN access.

Asus’ own advisory states:

ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

 

[RMerlin]

flash latest firmware,

I would like to emphasize that. As the Trend Micro white paper mentioned, this malware does write directly to the flash. So, victims should REFLASH their current firmware even if there is no newer firmware available.

 

[willyburz]

I'm not seeing any AX routers on that list above, am I missing something? For example, IF an AX86U is using the latest firmware 3.0.0.4.386.46061 you'd be fine?

 

[RMerlin]

Moved to the Security forum because this is larger than only Asus routers.

 

[Paliv]

I would like to emphasize that. As the Trend Micro white paper mentioned, this malware does write directly to the flash. So, victims should REFLASH their current firmware even if there is no newer firmware available.

Like VPNFilter the question for most people is how do you even figure out you're a victim?

 

[RMerlin]

Like VPNFilter the question for most people is how do you even figure out you're a victim?

Trend Micro published a python script that can be used to test (however it requires you to have a Linux host to use it). It's in the appendix of their whitepaper, along with a list of known C&C IPs.

They also mention the presence of a process called [ktest].

 

[dave14305]

Trend Micro published a python script that can be used to test (however it requires you to have a Linux host to use it). It's in the appendix of their whitepaper, along with a list of known C&C IPs.

They also mention the presence of a process called [ktest].

I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.

 

[RMerlin]

I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.

That would make sense. I had a quick glance at it, and found it a bit confusing.

 

[dave14305]

That would make sense. I had a quick glance at it, and found it a bit confusing.

The font color didn’t help, either.

 

[XIII]

I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.

Indeed:

To validate a host suspected of being a Cyclops Blink C&C server, we wrote a script that would perform the TLS handshake, send a 4-byte packet, and wait for the 4-byte response from the server. The source code for the script is as follows:

 

[cptnoblivious]

I’m assuming the worst that everything is vulnerable until the next Asus firmware release. But there isn’t any public information about the attack vector, AFAIK. Just broad recommendations to reset to defaults, flash latest firmware, and disable remote WAN access.

Asus’ own advisory states:

Always good to assume the worst.

When reading the Asus advisory they state (towards the end) "If you have already installed the latest firmware version, please disregard this notice."

Would be great to get a confirmation of course

 

[WRobertE]

...

Upshot is, as long as you have 3.0.0.4.386.xxxxx you are ok. But worth a read.

I read the advisory as saying 3.0.0.4.386.xxxx was vulnerable. @RMerlin ... can you clarify?

 

[Justinh]

I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.

Wouldn't that be one and the same?

 

[Smokey613]

I read the advisory as saying 3.0.0.4.386.xxxx was vulnerable. @RMerlin ... can you clarify?

The operative word is under ..... in other words, anything OLDER than 3.0.0.4.386.xxxx


firmware under 3.0.0.4.386.xxxx

^^^^^

Vulnerable ASUS devices​

In an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to Cyclops Blink attacks:

• GT-AC5300 firmware under 3.0.0.4.386.xxxx
• GT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC5300 firmware under 3.0.0.4.386.xxxx
• RT-AC88U firmware under 3.0.0.4.386.xxxx
• RT-AC3100 firmware under 3.0.0.4.386.xxxx
• RT-AC86U firmware under 3.0.0.4.386.xxxx
• RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
• RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
• RT-AC3200 firmware under 3.0.0.4.386.xxxx
• RT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
• RT-AC87U (EOL)
• RT-AC66U (EOL)
• RT-AC56U (EOL)