Menu
What's new
By:
Filters Better Search

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

AndreiV said:
Merlin no longer supports that model. You need to go back to ASUS official firmware which was updated for this issue.

It should be noted that not using the latest firmware will leave you vulnerable to any other exploits that are around. You need to change back to ASUS firmware or buy new routers.
Click to expand...
I would have said "Buy new routers to put in front of these" - they're still perfectly good APs or AiMesh nodes for a while yet.
But you're right about the official firmware - Merlin doesn't support them but Asus probably will for longer than you might think, if they still do now. (I was a bit surprised to find the last update from asus for my old n66u was released not as long ago as I had thought...believe it or not, I actually updated a router I retired to a switch (I needed it on my network...))
802.11ac will be around for some time yet, too...this stuff will stay off the "legacy" list for longer than most tend to think.
 
Is there somewhere that explains what Cyclops Blink is deployed to Asus routers?

Asus says in their own security advisory that they've "released new firmware that included more security measures to block malware", specifically in relation to Cyclops Blink:

ASUS Product Security Advisory | ASUS Global

www.asus.com www.asus.com

Yes, Cyclops Blink is malware, but if Asus has released a firmware update specifically referencing it, wouldn't that also need to flow into AsusWRT-Merlin?

April 1st updates seem to include fixes for:
CVE-2022-23970 - update_json function has a path traversal vulnerability
CVE-2022-23971- update_PLC/PORT file has a path traversal vulnerability
CVE-2022-23972 - SQL handling function has an SQL injection vulnerability
CVE-2022-23973 - user profile configuration function is vulnerable to stack-based buffer overflow
CVE-2022-25595 - improper user request handling (DoS)
CVE-2022-25596 - configuration function has a heap-based buffer overflow vulnerability due to insufficient validation for the decryption parameter length
CVE-2022-25597 - PD service has insufficient filtering for special characters in the user request
 
ADFHogan said:
Yes, Cyclops Blink is malware, but if Asus has released a firmware update specifically referencing it, wouldn't that also need to flow into AsusWRT-Merlin?
Click to expand...
Blocking is not the same as fixing. They simply made it harder for this particular malware to infect devices in the future (and the hardening method they used is something I don't plan on implementing on my end because I don't like it at a technical level). And these mitigations are in addition to the fact that the currently known strain of this malware does NOT run on firmware 386, only on older 382/384 firmware, which means none of the models that I currently support can be affected by this strain.

ADFHogan said:
April 1st updates seem to include fixes for:
Click to expand...
Fixes that aren't already rolled in will get rolled in eventually.
 
ADFHogan said:
Is there somewhere that explains what Cyclops Blink is deployed to Asus routers?
Click to expand...
It's currently unknown. It most likely relies on existing security exploits. Considering that this malware strain cannot run on 386_xxxx firmware (which has existed for quite some time now), it's quite possible that the targeted security holes have already been fixed as well. My personal guess would be an httpd security hole, which if not fixed yet, can be avoided by not opening WAN access to the webui anyway.

That's why personally I'm not worried at all about Cyclops Blink. Reports also indicates that far fewer Asus routers have been compromised than Watchguard devices (and in their case, it was known to be targeted through WAN-exposed web management).
 
RMerlin said:
It's currently unknown. It most likely relies on existing security exploits. Considering that this malware strain cannot run on 386_xxxx firmware (which has existed for quite some time now), it's quite possible that the targeted security holes have already been fixed as well. My personal guess would be an httpd security hole, which if not fixed yet, can be avoided by not opening WAN access to the webui anyway.

That's why personally I'm not worried at all about Cyclops Blink. Reports also indicates that far fewer Asus routers have been compromised than Watchguard devices (and in their case, it was known to be targeted through WAN-exposed web management).
Click to expand...
Isn't the wan exposed web management turned off by default, or at least when you check all up green across the board, in the security AI protection check?
 
willyburz said:
Isn't the wan exposed web management turned off by default, or at least when you check all up green across the board, in the security AI protection check?
Click to expand...
It is. But a lot of people still enabled it, sometimes unknowingly (in the past, using their mobile app would automatically enable WAN access without clearly notifying the user it was doing so).
 
Addressed in 3.0.0.4.386.48260 (March 2022) but not in 3.0.0.4.386.46065 (January 2022) ?

So I'm gonna guess you need 386.48xxx or higher.
I only see 386.46061 for my RT-AX92U (AX6100)

As usual, I could be wrong.
 
Natey2 said:
Addressed in 3.0.0.4.386.48260 (March 2022) but not in 3.0.0.4.386.46065 (January 2022) ?

So I'm gonna guess you need 386.48xxx or higher.
As usual, I could be wrong.
Click to expand...
No, you just need any version of 386.x. See post #184.
 
Which I'm guessing why the AX devices haven't been compromised? I see nothing but 386 levels going wayyyyy back on my Asus AX router.
 
I have one of the affected, but still supported routers. Should I reinstall or switch to my old wired-only router?

How safe is an ASUS RX3041B, which had its one and only update in 2012? It's a wired-only router, so I'm thinking maybe it has fewer security holes because of it. I wish I could by a new wired-only router which is easy to set up. And when I say easy, I really mean it.

RX3041 B - Support

www.asus.com www.asus.com
 
DNN75 said:
I have one of the affected, but still supported routers. Should I reinstall or switch to my old wired-only router?

How safe is an ASUS RX3041B, which had its one and only update in 2012? It's a wired-only router, so I'm thinking maybe it has fewer security holes because of it. I wish I could by a new wired-only router which is easy to set up. And when I say easy, I really mean it.

RX3041 B - Support

www.asus.com www.asus.com
Click to expand...
I wouldn`t trust a router with a 10 years old firmware when it comes to security.

I`d recommend looking at any of Asus`s newer entry level routers, and disable wifi on it. They have quite a few models that are well under 100$, just make sure it`s one that still gets security updates.
 
Yes, but then I read things like this:

"
Yikes. Another bug, I think, with wireless enable/disablement. When I learned of the Disable wireless button on the Overview page, I started using it to disable Wireless. However, today, I noticed that it was still showing as enabled in the Network menu, and there was a client device connected to it. The Overview page still displayed "Disabled".

So, this appears to be on top of the problem I reported recently with Wireless enabling itself after an unexpected shutdown.
"

Solved - 2022.1 Overview page shows Wireless as off, but it's actually on

Yikes. Another bug, I think, with wireless enable/disablement. When I learned of the Disable wireless button on the Overview page, I started using it to disable Wireless. However, today, I noticed that it was still showing as enabled in the Network menu, and there was a client device connected...
www.linksysinfo.org

Which non-wireless router, with a fast dual cpu, has the easiest setup for somebody who knows very little about networking?
 
DNN75 said:
Which non-wireless router, with a fast dual cpu, has the easiest setup for somebody who knows very little about networking?
Click to expand...
You could go for a small fanless PC, and install something like this (which would be more user-friendly than pfsense):

www.sophos.com

Cybersecurity as a Service Delivered | Sophos

We Deliver Superior Cybersecurity Outcomes for Real-World Organizations Worldwide with a Broad Portfolio of Advanced Security Products and Services.
www.sophos.com www.sophos.com

DNN75 said:
Yes, but then I read things like this:
Click to expand...
I don't know how he "disabled" his wifi, but I have a development Asus RT-AC66U_B1 here that runs 24/7 with the 2.4 GHz band disabled, and it has never re-enabled itself after running it like that for over a year.
 
I watched this Youtube video and to my surprise, I understood more than nothing. But I don't understand why the router is on the WAN side. What can the router do that a physical Sophos box connected to a fiber outlet can't do?

 
DNN75 said:
I watched this Youtube video and to my surprise, I understood more than nothing. But I don't understand why the router is on the WAN side. What can the router do that a physical Sophos box connected to a fiber outlet can't do?

Click to expand...
I don't have the full context (because not gonna watch a 48 minutes video), but chances are, this setup could be for cases where you have a modem/router combo from your ISP, so you cannot replace the router.

You should be able however to use a Sophos-enabled device directly connected to a modem.
 
I watched the video a second time. In this case it's probably because the Sophos XG is in a VM, so I guess there's no other way then.

Just one more question. If you want to have a VPN client/server in Sophos XG, does that mean you have to manually install OpenVPN and then manually update it, or is it part of Sophos XG and therefore updated by them?
 
DNN75 said:
I watched the video a second time. In this case it's probably because the Sophos XG is in a VM, so I guess there's no other way then.

Just one more question. If you want to have a VPN client/server in Sophos XG, does that mean you have to manually install OpenVPN and then manually update it, or is it part of Sophos XG and therefore updated by them?
Click to expand...
I don't know, I don't use Sophos XG. I only briefly tested it a few years ago. You will have to check the documentation for VPN capabilities.
 
You must log in or register to reply here.

Similar threads

B
Can a VPN from a desktop client hide activity from Trend Micro on ASUS routers
Replies
8
Views
5K
ColinTaylor
C
GK59
"Privacy issues with Trend Micro software in Asus routers"
Replies
2
Views
8K
AndreiV
A
Similar threads
Thread starter Title Forum Replies Date
XIII Trend Micro exploring sale General Network Security 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 743 (members: 15, guests: 728)
Top