News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

[WRobertE]

The operative word is under ..... in other words, anything OLDER than 3.0.0.4.386.xxxx


firmware under 3.0.0.4.386.xxxx

^^^^^

Vulnerable ASUS devices​

In an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to Cyclops Blink attacks:

• GT-AC5300 firmware under 3.0.0.4.386.xxxx
• GT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC5300 firmware under 3.0.0.4.386.xxxx
• RT-AC88U firmware under 3.0.0.4.386.xxxx
• RT-AC3100 firmware under 3.0.0.4.386.xxxx
• RT-AC86U firmware under 3.0.0.4.386.xxxx
• RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
• RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
• RT-AC3200 firmware under 3.0.0.4.386.xxxx
• RT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
• RT-AC87U (EOL)
• RT-AC66U (EOL)
• RT-AC56U (EOL)

ahhhh .... thank you

 

[follower]

It has been known for a month about this malware. This Russian Malware's main targets were Ukraine, States, Canada, EU. It's everywhere now with updated version. Can present firmwares protect you? Nope. A lot of users still believe AiProtection can protect you. The AiProtection placebo effect may help you though.
Don't forget there are more unknown Chinese and Russian malwares.

 

[willyburz]

I'm still confused.

1. Is it ALL Asus routers, or just the Asus AC routers they have listed? For example, what about Asus AX devices?
2. If you have the latest firmware already installed, it states "please disregard?" HUH?
3. How is it delivered? Direct attack on the router, or through compromised Windows devices?

 

[Paliv]

I'm still confused.

1. Is is ALL Asus routers, or just the Asus AC routers they have listed? For example, what about Asus AX devices?
2. If you have the latest firmware already installed, it states "please disregard?" HUH?
3. How is it delivered? Direct attack on the router, or through compromised Windows devices?

Also is it made possible through open ports, or remote connection, since they suggest turning those off? I think the vector is uncertain just like VPNFilter.

 

[dave14305]

Until better details emerge from Asus, I’ve relegated my AC86U back to being an AP behind my Raspberry Pi OpenWrt router. I don't necessarily think I was at risk based on my configuration, but I don’t see the need to risk the exposure while I have other options available.

Heck, even my employer sent out a cybersecurity bulletin about this specific Asus vulnerability to employees.

RT-AC87U users ought to be thinking about replacement plans.

 

[Paliv]

Until better details emerge from Asus, I’ve relegated my AC86U back to being an AP behind my Raspberry Pi OpenWrt router. I don't necessarily think I was at risk based on my configuration, but I don’t see the need to risk the exposure while I have other options available.

Heck, even my employer sent out a cybersecurity bulletin about this specific Asus vulnerability to employees.

RT-AC87U users ought to be thinking about replacement plans.

If the AX devices pop up on the list down the road I may just take my ISP gateway out of bridge mode until we know more. Though that may be no safer…

 

[RMerlin]

The font color didn’t help, either.

No shirt. I had to copy/paste it to notepad++ to be able to read it (which messed up formatting)...

Don't forget there are more unknown Chinese and Russian malwares.

Those countries don't have the monopoly on developing state-backed malware. Stuxnet was co-developed by the USA for instance.

 

[follower]

Those countries don't have the monopoly on developing state-backed malware. Stuxnet was co-developed by the USA for instance.

Of course. But those countries are the top malware creation and hacking countries. No doubt. The states are the most impacted country by malwares and hacking from China and Russia. Chinese even put the malware including backdoor into the cloth iron, USB flash drives, Android TV BOX and a lot of devices.
And then they sell them. You know what?
If you pay for the money to attack someone or places Chinese do it for you so easily. Hacking, DDOS a lot more types. They also have and sell a lot personal information DB including SSN. They steal Credit Card number too. I've seen those incident a lot in the real world. I'm still seeing a lot of victims.
They use stolen Credit Card number and info to buy a lot of things like Steam gift card, XBOX gift card a lot. And then? they resell them.

 

[XIII]

Wouldn't that be one and the same?

Not necessarily; our routers could become bots being controlled by C&C servers.

 

[Jbennett360]

AC86U user here, recently flashed the latest update - it's not that long since it came out. 3/3/22 - 3.0.0.4.386.46092

So in theory everything should be okay. Unless Asus say differently!

 

[garzjoe]

Stupid newb question. I have a RT-AC68U running 386.3_2. Been meaning to update for a while but it busy. Anyway does anyone know the correlated Asus version this build is based off?

Trying to determine is my version is under the 3.0.0.4.386.xxxx threshold in the advisory!

 

[RMerlin]

Stupid newb question. I have a RT-AC68U running 386.3_2. Been meaning to update for a while but it busy. Anyway does anyone know the correlated Asus version this build is based off?

Trying to determine is my version is under the 3.0.0.4.386.xxxx threshold in the advisory!

386.3_2 is based off 3.0.0.4.386_42095. A fair number of security issues have been resolved since that release, you should upgrade to 386.5.

 

[molachai]

386.3_2 is based off 3.0.0.4.386_42095. A fair number of security issues have been resolved since that release, you should upgrade to 386.5.

Is there a way to determine this using CLI commands or somewhere in the Merlin GUI on our routers? Having the above is useful for that particular version, but I'm just wondering if I can see the information on my side; or online in some form.

 

[Yota]

Before this happened, many members still believed that malware flashing firmware was an extremely unlikely event.

We might be able to fix this bug, but the real bug is that all running programs on the entire system can gain root privileges, even a custom script. If they have root they can even flash the cfe or other boot partition and if they do they can take control of the router forever because we don't know many things about the cfe and we are even denied to discuss how to flash it.

It won't just happen this time, every router is now a complete computer that can do almost anything, but unlike a computer there is no process to protect it.

If I were a malware author, I would happily hack these devices, these routers can be used for mining, used as a source of DDoS, and also used as a proxy server for hackers because of good performance, ample RAM, and Storage space, I must say these devices are already more powerful than some early Raspberry Pi.

So, why do some people think malware authors don't do this? because we haven't seen a case?


This isn't just for Asuswrt, any brand of router has the same issues these days, excess performance, ample RAM and ROM, almost complete Linxu system, and zero protection there once malware is running on the device.

AiProtection? It is not designed to deal with this kind of threat at all, any user can completely disable all protection features, firewalls on the router with a few nvram commands.

The only way is to ask router manufacturers, not just Asus, all manufacturers to take the systems in their routers seriously, as many don't even update router firmware after a year, like TP-LINK.

They're just selling hardware not firmware, they don't care about firmware, they only care about getting you to buy a more powerful router next year.

I can say that with the policies of the FCC and more closed chip makers, I'm no longer looking forward to running real community-maintained firmware on these routers, OpenWRT, DD-WRT, FreshTomato, all of these in the AX era. dead, they will continue to die in the future. Only manufacturers can save their firmware, and there is no reason for manufacturers to devote resources to firmware maintenance rather than marketing.


Fortunately, Asuswrt-Merlin seems to be the only firmware that is still actively contributed by the community in the AX era. Although more and more components are closed source, thanks to the good relationship between Eric and Asus, we can still use this excellent firmware in the AX era.

But we can't ignore the threats of tomorrow because of security now, we must act to urge and call on router manufacturers to take responsibility for their firmware, or open them up and transfer responsibility to communities.



Read more:
I'm promoting research into CFE (boot partition) for routers and open up research to encourage people to understand CFE and learn how to secure CFE. https://www.snbforums.com/threads/about-the-cfe-of-hnd-routers.77922/
I was previously proposing to design a suite of anti-malware software for Asuswrt designed to monitor privileged programs running on the system and anything deliberate, but this proposal was not actively supported, it is dead, however, it is ready to be reborn in more If any developers are willing to participate. http://www.snbforums.com/threads/is...re-program-for-asuswrt-merlin-firmware.76373/

 

[creamy]

Is there a way to determine this using CLI commands or somewhere in the Merlin GUI on our routers? Having the above is useful for that particular version, but I'm just wondering if I can see the information on my side; or online in some form.

You can find it from the release changelog.

Changelog link

 

[Mister2088]

@RMerlin or any other Senior Staff:

Kind of a NEWBE set of questions:

I have 386.5 on my AX88u. my route was: new router--->386.45934 (stock) ---> full nuclear reset ----> merlin 386.4 ----> dirty flash to 386.5 beta1 ----> dirty flash to 386.5. I also have all ports closed, non-default pw's and no remote connection access. Finally, I do not see any 'ktest' processes running.
So having said the above, am I OK OR should I do a nuclear reset and manual re-config? If I should reset, would I be ok with restoring from a backup after a nuclear reset?

 

[molachai]

You can find it from the release changelog.

Changelog link

I must be blind. I can't see the original Asus firmware version in conjunction with the Merlin firmware version anywhere in the current changelog.

 

[capncybo]

I am no programmer but forced my way through the Official Trend-micro & Asus documents.
What concerned me the MOST was the bots ability to write to flash...
In the immediate...
Couldn't the file which does the actual writing be "renamed"?

EDIT:
mtd_write -r write RT-N56U_Latest.trx Firmware_Stub
TO:
new_mtd_write -r write RT-N56U_Latest.trx Firmware_Stub

Hence even an infected router would FAIL in attempting to write to flash.
I stress this as a QUICK -Fix because... a Malicious-Flash could easily BRICK/KILL the router.
Anyways, there are probably already many people WAY SMARTER than I working on this...

EDIT-to-my-EDIT-(LOL):
The new-filename of old flash executable should NOT be inclusive of old name to AVOID bot detection.
da_flash_writing RT-N56U_Latest.trx Firmware_Stub

So, I'll just cross my fingers & toes & hope for the best.
Cheers.

 

[Paliv]

I must be blind. I can't see the original Asus firmware version in conjunction with the Merlin firmware version anywhere in the current changelog.

UPDATED: Merged with GPL 386_46065

Is this what you’re looking for?

edit: that’s for 386.5, if you are looking for the GPL for 386.2_2, there was no new merge. So it would be Merged GPL 386_42095.

 

[Yota]

It has been known for a month about this malware. This Russian Malware's main targets were Ukraine, States, Canada, EU. It's everywhere now with updated version. Can present firmwares protect you? Nope. A lot of users still believe AiProtection can protect you. The AiProtection placebo effect may help you though.
Don't forget there are more unknown Chinese and Russian malwares.

AiProtection is not a placebo, but is used for protection against certain types of attacks, such as phishing sites. There are ZERO processes on the router to deal with this threat, of course a firewall might play a role, but once a router is infected there will be no protection at all.

Also is it made possible through open ports, or remote connection, since they suggest turning those off? I think the vector is uncertain just like VPNFilter.

At no point should you open firewall ports. Disabling UPnP and connecting remotely with an OpenVPN server only when necessary are some good suggestions.

RT-AC87U users ought to be thinking about replacement plans.

RT-AC87U users encountered an extremely irresponsible chip manufacturer - Quantenna, they should urge manufacturers to provide security updates, or open source their code after this product dies!

@RMerlin or any other Senior Staff:

Kind of a NEWBE set of questions:

I have 386.5 on my AX88u. my route was: new router--->386.45934 (stock) ---> full nuclear reset ----> merlin 386.4 ----> dirty flash to 386.5 beta1 ----> dirty flash to 386.5. I also have all ports closed, non-default pw's and no remote connection access. Finally, I do not see any 'ktest' processes running.
So having said the above, am I OK OR should I do a nuclear reset and manual re-config? If I should reset, would I be ok with restoring from a backup after a nuclear reset?

Like Rmerlin said, victims should REFLASH their current firmware even if there is no newer firmware available. so, anyone worried about this can reflash your router, even if it's already running 386.5, reflashing will rewrite the entire system partition, which will make the malware go away if the system partition is tampered with.

Also, I would recommend checking the /jffs partition for any files you don't know about, and turning off remote access.

The following command is used to list all the files in the jffs partition, since this is the easily writable partition on the router, and usually the first stop for malware that wants to persist.

du -h /jffs

I am no programmer but forced my way through the Official Trend-micro & Asus documents.
What concerned me the MOST was the bots ability to write to flash...
In the immediate...
Couldn't the file which does the actual writing be "renamed"?

EDIT:
mtd_write -r write RT-N56U_Latest.trx Firmware_Stub
TO:
new_mtd_write -r write RT-N56U_Latest.trx Firmware_Stub

Hence even an infected router would FAIL in attempting to write to flash.
I stress this as a QUICK -Fix because... a Malicious-Flash could easily BRICK/KILL the router.
Anyways, there are probably already many people WAY SMARTER than I working on this...

EDIT-to-my-EDIT-(LOL):
The new-filename of old flash executable should NOT be inclusive of old name to AVOID bot detection.
da_flash_writing RT-N56U_Latest.trx Firmware_Stub

So, I'll just cross my fingers & toes & hope for the best.
Cheers.

Of course you can, this requires making sure the malware is not running as root, once the malware is running as root no protection can stop it as it can turn off those protections, or just ignore them. In addition, the malware does not need to call mtd_write at all. Although using mtd_write to flash the firmware is an easy way, the malware can do this by itself without any third-party programs, because any program running in Asuswrt has root privileges, They can do whatever they want.