What's new

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Merlin no longer supports that model. You need to go back to ASUS official firmware which was updated for this issue.

It should be noted that not using the latest firmware will leave you vulnerable to any other exploits that are around. You need to change back to ASUS firmware or buy new routers.
I would have said "Buy new routers to put in front of these" - they're still perfectly good APs or AiMesh nodes for a while yet.
But you're right about the official firmware - Merlin doesn't support them but Asus probably will for longer than you might think, if they still do now. (I was a bit surprised to find the last update from asus for my old n66u was released not as long ago as I had thought...believe it or not, I actually updated a router I retired to a switch (I needed it on my network...))
802.11ac will be around for some time yet, too...this stuff will stay off the "legacy" list for longer than most tend to think.
 
Is there somewhere that explains what Cyclops Blink is deployed to Asus routers?

Asus says in their own security advisory that they've "released new firmware that included more security measures to block malware", specifically in relation to Cyclops Blink:

Yes, Cyclops Blink is malware, but if Asus has released a firmware update specifically referencing it, wouldn't that also need to flow into AsusWRT-Merlin?

April 1st updates seem to include fixes for:
CVE-2022-23970 - update_json function has a path traversal vulnerability
CVE-2022-23971- update_PLC/PORT file has a path traversal vulnerability
CVE-2022-23972 - SQL handling function has an SQL injection vulnerability
CVE-2022-23973 - user profile configuration function is vulnerable to stack-based buffer overflow
CVE-2022-25595 - improper user request handling (DoS)
CVE-2022-25596 - configuration function has a heap-based buffer overflow vulnerability due to insufficient validation for the decryption parameter length
CVE-2022-25597 - PD service has insufficient filtering for special characters in the user request
 
Yes, Cyclops Blink is malware, but if Asus has released a firmware update specifically referencing it, wouldn't that also need to flow into AsusWRT-Merlin?
Blocking is not the same as fixing. They simply made it harder for this particular malware to infect devices in the future (and the hardening method they used is something I don't plan on implementing on my end because I don't like it at a technical level). And these mitigations are in addition to the fact that the currently known strain of this malware does NOT run on firmware 386, only on older 382/384 firmware, which means none of the models that I currently support can be affected by this strain.

April 1st updates seem to include fixes for:
Fixes that aren't already rolled in will get rolled in eventually.
 
Is there somewhere that explains what Cyclops Blink is deployed to Asus routers?
It's currently unknown. It most likely relies on existing security exploits. Considering that this malware strain cannot run on 386_xxxx firmware (which has existed for quite some time now), it's quite possible that the targeted security holes have already been fixed as well. My personal guess would be an httpd security hole, which if not fixed yet, can be avoided by not opening WAN access to the webui anyway.

That's why personally I'm not worried at all about Cyclops Blink. Reports also indicates that far fewer Asus routers have been compromised than Watchguard devices (and in their case, it was known to be targeted through WAN-exposed web management).
 
It's currently unknown. It most likely relies on existing security exploits. Considering that this malware strain cannot run on 386_xxxx firmware (which has existed for quite some time now), it's quite possible that the targeted security holes have already been fixed as well. My personal guess would be an httpd security hole, which if not fixed yet, can be avoided by not opening WAN access to the webui anyway.

That's why personally I'm not worried at all about Cyclops Blink. Reports also indicates that far fewer Asus routers have been compromised than Watchguard devices (and in their case, it was known to be targeted through WAN-exposed web management).
Isn't the wan exposed web management turned off by default, or at least when you check all up green across the board, in the security AI protection check?
 
Isn't the wan exposed web management turned off by default, or at least when you check all up green across the board, in the security AI protection check?
It is. But a lot of people still enabled it, sometimes unknowingly (in the past, using their mobile app would automatically enable WAN access without clearly notifying the user it was doing so).
 
Addressed in 3.0.0.4.386.48260 (March 2022) but not in 3.0.0.4.386.46065 (January 2022) ?

So I'm gonna guess you need 386.48xxx or higher.
I only see 386.46061 for my RT-AX92U (AX6100)

As usual, I could be wrong.
 
Addressed in 3.0.0.4.386.48260 (March 2022) but not in 3.0.0.4.386.46065 (January 2022) ?

So I'm gonna guess you need 386.48xxx or higher.
As usual, I could be wrong.
No, you just need any version of 386.x. See post #184.
 
Which I'm guessing why the AX devices haven't been compromised? I see nothing but 386 levels going wayyyyy back on my Asus AX router.
 
I have one of the affected, but still supported routers. Should I reinstall or switch to my old wired-only router?

How safe is an ASUS RX3041B, which had its one and only update in 2012? It's a wired-only router, so I'm thinking maybe it has fewer security holes because of it. I wish I could by a new wired-only router which is easy to set up. And when I say easy, I really mean it.

 
I have one of the affected, but still supported routers. Should I reinstall or switch to my old wired-only router?

How safe is an ASUS RX3041B, which had its one and only update in 2012? It's a wired-only router, so I'm thinking maybe it has fewer security holes because of it. I wish I could by a new wired-only router which is easy to set up. And when I say easy, I really mean it.

I wouldn`t trust a router with a 10 years old firmware when it comes to security.

I`d recommend looking at any of Asus`s newer entry level routers, and disable wifi on it. They have quite a few models that are well under 100$, just make sure it`s one that still gets security updates.
 
Yes, but then I read things like this:

"
Yikes. Another bug, I think, with wireless enable/disablement. When I learned of the Disable wireless button on the Overview page, I started using it to disable Wireless. However, today, I noticed that it was still showing as enabled in the Network menu, and there was a client device connected to it. The Overview page still displayed "Disabled".

So, this appears to be on top of the problem I reported recently with Wireless enabling itself after an unexpected shutdown.
"


Which non-wireless router, with a fast dual cpu, has the easiest setup for somebody who knows very little about networking?
 
Which non-wireless router, with a fast dual cpu, has the easiest setup for somebody who knows very little about networking?
You could go for a small fanless PC, and install something like this (which would be more user-friendly than pfsense):


Yes, but then I read things like this:
I don't know how he "disabled" his wifi, but I have a development Asus RT-AC66U_B1 here that runs 24/7 with the 2.4 GHz band disabled, and it has never re-enabled itself after running it like that for over a year.
 
I watched this Youtube video and to my surprise, I understood more than nothing. But I don't understand why the router is on the WAN side. What can the router do that a physical Sophos box connected to a fiber outlet can't do?

 
I watched this Youtube video and to my surprise, I understood more than nothing. But I don't understand why the router is on the WAN side. What can the router do that a physical Sophos box connected to a fiber outlet can't do?

I don't have the full context (because not gonna watch a 48 minutes video), but chances are, this setup could be for cases where you have a modem/router combo from your ISP, so you cannot replace the router.

You should be able however to use a Sophos-enabled device directly connected to a modem.
 
I watched the video a second time. In this case it's probably because the Sophos XG is in a VM, so I guess there's no other way then.

Just one more question. If you want to have a VPN client/server in Sophos XG, does that mean you have to manually install OpenVPN and then manually update it, or is it part of Sophos XG and therefore updated by them?
 
I watched the video a second time. In this case it's probably because the Sophos XG is in a VM, so I guess there's no other way then.

Just one more question. If you want to have a VPN client/server in Sophos XG, does that mean you have to manually install OpenVPN and then manually update it, or is it part of Sophos XG and therefore updated by them?
I don't know, I don't use Sophos XG. I only briefly tested it a few years ago. You will have to check the documentation for VPN capabilities.
 
Similar threads
Thread starter Title Forum Replies Date
XIII Trend Micro exploring sale General Network Security 2

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top