News Trend Micro: Cyclops Blink Sets Sights on Asus Routers
- Thread starter XIII
- Start date
heysoundude
Part of the Furniture
I would have said "Buy new routers to put in front of these" - they're still perfectly good APs or AiMesh nodes for a while yet.
But you're right about the official firmware - Merlin doesn't support them but Asus probably will for longer than you might think, if they still do now. (I was a bit surprised to find the last update from asus for my old n66u was released not as long ago as I had thought...believe it or not, I actually updated a router I retired to a switch (I needed it on my network...))
802.11ac will be around for some time yet, too...this stuff will stay off the "legacy" list for longer than most tend to think.
ADFHogan
Regular Contributor
Is there somewhere that explains what Cyclops Blink is deployed to Asus routers?
Asus says in their own security advisory that they've "released new firmware that included more security measures to block malware", specifically in relation to Cyclops Blink:
www.asus.com
Yes, Cyclops Blink is malware, but if Asus has released a firmware update specifically referencing it, wouldn't that also need to flow into AsusWRT-Merlin?
April 1st updates seem to include fixes for:
CVE-2022-23970 - update_json function has a path traversal vulnerability
CVE-2022-23971- update_PLC/PORT file has a path traversal vulnerability
CVE-2022-23972 - SQL handling function has an SQL injection vulnerability
CVE-2022-23973 - user profile configuration function is vulnerable to stack-based buffer overflow
CVE-2022-25595 - improper user request handling (DoS)
CVE-2022-25596 - configuration function has a heap-based buffer overflow vulnerability due to insufficient validation for the decryption parameter length
CVE-2022-25597 - PD service has insufficient filtering for special characters in the user request
Asus says in their own security advisory that they've "released new firmware that included more security measures to block malware", specifically in relation to Cyclops Blink:
ASUS Product Security Advisory | ASUS Global
www.asus.com
Yes, Cyclops Blink is malware, but if Asus has released a firmware update specifically referencing it, wouldn't that also need to flow into AsusWRT-Merlin?
April 1st updates seem to include fixes for:
CVE-2022-23970 - update_json function has a path traversal vulnerability
CVE-2022-23971- update_PLC/PORT file has a path traversal vulnerability
CVE-2022-23972 - SQL handling function has an SQL injection vulnerability
CVE-2022-23973 - user profile configuration function is vulnerable to stack-based buffer overflow
CVE-2022-25595 - improper user request handling (DoS)
CVE-2022-25596 - configuration function has a heap-based buffer overflow vulnerability due to insufficient validation for the decryption parameter length
CVE-2022-25597 - PD service has insufficient filtering for special characters in the user request
Blocking is not the same as fixing. They simply made it harder for this particular malware to infect devices in the future (and the hardening method they used is something I don't plan on implementing on my end because I don't like it at a technical level). And these mitigations are in addition to the fact that the currently known strain of this malware does NOT run on firmware 386, only on older 382/384 firmware, which means none of the models that I currently support can be affected by this strain.
Fixes that aren't already rolled in will get rolled in eventually.
It's currently unknown. It most likely relies on existing security exploits. Considering that this malware strain cannot run on 386_xxxx firmware (which has existed for quite some time now), it's quite possible that the targeted security holes have already been fixed as well. My personal guess would be an httpd security hole, which if not fixed yet, can be avoided by not opening WAN access to the webui anyway.
That's why personally I'm not worried at all about Cyclops Blink. Reports also indicates that far fewer Asus routers have been compromised than Watchguard devices (and in their case, it was known to be targeted through WAN-exposed web management).
willyburz
Senior Member
Isn't the wan exposed web management turned off by default, or at least when you check all up green across the board, in the security AI protection check?
It is. But a lot of people still enabled it, sometimes unknowingly (in the past, using their mobile app would automatically enable WAN access without clearly notifying the user it was doing so).
Some users can be confused.. Let's make it clear. It's a malware which is using a vulnerability.
ColinTaylor
Part of the Furniture
No, you just need any version of 386.x. See post #184.
I have one of the affected, but still supported routers. Should I reinstall or switch to my old wired-only router?
How safe is an ASUS RX3041B, which had its one and only update in 2012? It's a wired-only router, so I'm thinking maybe it has fewer security holes because of it. I wish I could by a new wired-only router which is easy to set up. And when I say easy, I really mean it.
www.asus.com
How safe is an ASUS RX3041B, which had its one and only update in 2012? It's a wired-only router, so I'm thinking maybe it has fewer security holes because of it. I wish I could by a new wired-only router which is easy to set up. And when I say easy, I really mean it.
RX3041 B - Support
www.asus.com
I wouldn`t trust a router with a 10 years old firmware when it comes to security.I have one of the affected, but still supported routers. Should I reinstall or switch to my old wired-only router?
How safe is an ASUS RX3041B, which had its one and only update in 2012? It's a wired-only router, so I'm thinking maybe it has fewer security holes because of it. I wish I could by a new wired-only router which is easy to set up. And when I say easy, I really mean it.
RX3041 B - Support
I`d recommend looking at any of Asus`s newer entry level routers, and disable wifi on it. They have quite a few models that are well under 100$, just make sure it`s one that still gets security updates.
Yes, but then I read things like this:
"
Yikes. Another bug, I think, with wireless enable/disablement. When I learned of the Disable wireless button on the Overview page, I started using it to disable Wireless. However, today, I noticed that it was still showing as enabled in the Network menu, and there was a client device connected to it. The Overview page still displayed "Disabled".
So, this appears to be on top of the problem I reported recently with Wireless enabling itself after an unexpected shutdown.
"
Which non-wireless router, with a fast dual cpu, has the easiest setup for somebody who knows very little about networking?
"
Yikes. Another bug, I think, with wireless enable/disablement. When I learned of the Disable wireless button on the Overview page, I started using it to disable Wireless. However, today, I noticed that it was still showing as enabled in the Network menu, and there was a client device connected to it. The Overview page still displayed "Disabled".
So, this appears to be on top of the problem I reported recently with Wireless enabling itself after an unexpected shutdown.
"
Solved - 2022.1 Overview page shows Wireless as off, but it's actually on
Yikes. Another bug, I think, with wireless enable/disablement. When I learned of the Disable wireless button on the Overview page, I started using it to disable Wireless. However, today, I noticed that it was still showing as enabled in the Network menu, and there was a client device connected...
www.linksysinfo.org
Which non-wireless router, with a fast dual cpu, has the easiest setup for somebody who knows very little about networking?
You could go for a small fanless PC, and install something like this (which would be more user-friendly than pfsense):
Cybersecurity as a Service Delivered | Sophos
We Deliver Superior Cybersecurity Outcomes for Real-World Organizations Worldwide with a Broad Portfolio of Advanced Security Products and Services.
I don't know how he "disabled" his wifi, but I have a development Asus RT-AC66U_B1 here that runs 24/7 with the 2.4 GHz band disabled, and it has never re-enabled itself after running it like that for over a year.
I don't have the full context (because not gonna watch a 48 minutes video), but chances are, this setup could be for cases where you have a modem/router combo from your ISP, so you cannot replace the router.
You should be able however to use a Sophos-enabled device directly connected to a modem.
I watched the video a second time. In this case it's probably because the Sophos XG is in a VM, so I guess there's no other way then.
Just one more question. If you want to have a VPN client/server in Sophos XG, does that mean you have to manually install OpenVPN and then manually update it, or is it part of Sophos XG and therefore updated by them?
Just one more question. If you want to have a VPN client/server in Sophos XG, does that mean you have to manually install OpenVPN and then manually update it, or is it part of Sophos XG and therefore updated by them?
I don't know, I don't use Sophos XG. I only briefly tested it a few years ago. You will have to check the documentation for VPN capabilities.
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
|
Trend Micro exploring sale | General Network Security | 2 |