News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

[SwampKracker]

Since no one knows the attack vector with certainty, rather than say, "Perfect", I would say that this is as good as can be done.

Per the advisory from BOTH Watchguard and Asus for this situation, the configuration by Jaime Alvarez is "perfect" for not allowing remote administration to the device and using a VPN tunnel as a secure method of remote access. I am not extending the qualifier of "perfect" to anything else. Just following the information from two affected parties.

 

[TheLostSwede]

Do yall think they will update the firmware for EOL products to curb malware or botnets? Is it worth still using my router even though its EOL? The AiMesh was one feature i had thought about using the old router for. I don't like getting rid of tech that still works great and can be repurposed. I have looked at DD-WRT but need to do more research for features and what not that would be lost/gained.

It's highly unlikely, hence why Asus pointed out those products are EOL.
On top of that, Asus has several other AC routers that aren't listed, that they don't support as well as the listed models that may or may not be affected.

What you could do with your old router, is repurpose it as a WiFi access point or an AiMesh unit, behind your new router, as that way it's "protected" by the new router and isn't accessible directly from the internet.

 

[TheLostSwede]

This issue seems to mention only AC routers. I had flashed my AC router (used as a wired AP) on Mar-13-2022 which is connected to my main router AX86U. Both devices were flashed to Merlin latest versions on Mar-13. Also, my router or AP were never exposed / managed outside my home. Should I be worried or need to re-flash either AC access point or AX router or both?

One should always be concerned about things like this, but devices that aren't directly exposed directly to the internet, should be at a much, much lower risk compared to the main router, as it would have to be compromised first.

Keep in mind that this worm is used for building a botnet, so it might have zero affect on your network, but your router could end up being part of a major DDoS attack or something similar, if compromised. That is the real concern here, but as the worm allows the group behind it access to install whatever software they want on your router, who knows what they're planning.

 

[BreakingDad]

Well this is an interesting and exciting read for a Sunday morning.

 

[Tech9]

I can leave one AC68U with simple user/pass and WAN access open to see what, when and if bad things happen. Why is the web server in Asus routers considered so insecure? Is there something we should know about it or it's just a common general recommendation to close access from WAN? As I see, Asus App offers remote access via WAN with HTTPS enabled as only requirement.

 

[Jbennett360]

So at the minute I guess it's just a sit and wait to see what ASUS eventually do.

If you're on the latest FW, default password has been changed and Remote Management is disabled, then there's not much else you can do!?

 

[TheLostSwede]

I can leave one AC68U with simple user/pass and WAN access open to see what, when and if bad things happen. Why is the web server in Asus routers considered so insecure? Is there something we should know about it or it's just a common general recommendation to close access from WAN? As I see, Asus App offers remote access via WAN with HTTPS enabled as only requirement.

It doesn't seem to be related to the web server though. If you look at the models affected, they all seem to be Broadcom based, as their MediaTek AC devices aren't in the list of presumably affected devices. So it could be some unknown issue with the Broadcom SDK and it wouldn't be the first time there's been issues with that. The actual attack vector isn't known at this point in time and Asus only issues general suggestions as far as the advice goes imho.

 

[cptnoblivious]

So at the minute I guess it's just a sit and wait to see what ASUS eventually do.

If you're on the latest FW, default password has been changed and Remote Management is disabled, then there's not much else you can do!?

Just to add: I change both the password and the admin account name.

The other thing, which I've not done, is check if the Command and Control IP's listed in trend's article (pdf actually) are blocked by skynet. Of course, that maybe a constantly changing landscape.

 

[Tech9]

Most attacks use brute force method probing common user/pass first. Some firewalls just blacklist the source IP for 30-60min after few unsuccessful login attempts. It's very simple and quite effective. Straight shot hacks due to newly discovered vulnerability are rare. It's much simple today to hack known weak and common client first (some IoT, for example) and then the router on the LAN side. I don't see the malware in question using this approach.

 

[Paliv]

Is it even possible to setup an ASUS router without changing the admin password these days? I thought it was a required step now.

 

[Paliv]

Also, I don’t think they ever figured out the attack vector of VPNFilter, or at least didn’t publicly disclose it.

 

[Tech9]

Is it even possible to setup an ASUS router without changing the admin password these days?

I believe you can skip entirely the setup wizard by calling specific GUI pages after reset, if you really want to.

 

[RMerlin]

they all seem to be Broadcom based,

I believe a more critical common factor is that they are all ARM-based. The worm was probably not compiled to run on MIPS, which would expect the lack of Mediatek devices on the list.

 

[Tech9]

I believe a more critical common factor is that they are all ARM-based

RT-AC66U is MIPS.

 

[TheLostSwede]

I believe a more critical common factor is that they are all ARM-based. The worm was probably not compiled to run on MIPS, which would expect the lack of Mediatek devices on the list.

MediaTek is doing Arm based SoCs for routers too now, in case you missed it. They have at least three generations out and they've been around for about 5-6 years already.
However, in all fairness, Asus only has one router based on one of those chips, the RT-AC65, but it doesn't seem to be part of the list of affected devices.

Not trying to single out Broadcom as the bad guy here and I have recommended Asus routers to people that are looking to buy a router, just saying it's a possibility, as Broadcom based routers have been targeted before.

That said, the entry level RT-AC58U, the CT8 and the Lyra devices are Arm based, but with a Qualcomm SoC and they're not on the list.

 

[maxbraketorque]

I believe a more critical common factor is that they are all ARM-based. The worm was probably not compiled to run on MIPS, which would expect the lack of Mediatek devices on the list.

Interesting observation. Would seem to be a valuable piece of information in figuring out how the routers get compromised.

 

[jhferry]

It's highly unlikely, hence why Asus pointed out those products are EOL.
On top of that, Asus has several other AC routers that aren't listed, that they don't support as well as the listed models that may or may not be affected.

What you could do with your old router, is repurpose it as a WiFi access point or an AiMesh unit, behind your new router, as that way it's "protected" by the new router and isn't accessible directly from the internet.

I agree with you but in situations like this, I would be surprised if they just left these devices out there to die. Really bad for the brand. Again we dont know if other brands are affected but if it's just Asus and they dont respond, that would be the last Asus thing I ever touch. You could even get outside intervention from the gov telling them to fix this if they think its a national security thing.

 

[faria]

Just to add: I change both the password and the admin account name.

The other thing, which I've not done, is check if the Command and Control IP's listed in trend's article (pdf actually) are blocked by skynet. Of course, that maybe a constantly changing landscape.

I have made a list of the ips to add to Skynet, I'm guessing if Skynet starts blocking such outbound ips then its safe to assume that the router is compromised , but as you said this most likelly keeps changing/adding new ips.
https://github.com/fariajose/skynet/blob/main/Cyclops-Blink-CC-servers.txt

firewall banmalware https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt

or

firewall import blacklist https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt "Cyclops"

 

[wh7qq]

Everything I have seen so far has been related to AC routers and up to 380 series firmware. I have an old RT-N66 with John's Fork of Merlin, 52e3 firmware that runs 24/7. Vulnerable? I don't see any unusual activity on the daily monitor. Yet.

 

[BikeHelmet]

Do you have reason to believe your router might be compromised? If yes, then reflashing the firmware is advised on top of doing a factory default reset, without restoring from a settings backup unless you are positive this backup was made while your router was clean, and not from a too old firmware version.

Note that if you never exposed any of the router services to the Internet, then the chances of your router being compromised are very low (could still have happened through a cross site vulnerability, for instance).

At the moment, the only publicly available information is what was published in the Trend Micro write up and Asus's security bulletin. Also note that Trend Micro analyzed one specific variant. Their write up hints at the possibility of other variants existing (potentially targeting other devices than Watchguard Firebox or Asus. routers).


The malware does not reflash the whole firmware in this case. They directly write into the MTD flash device.

Some web browsers are starting to block local to remote XSS. Like, facebook.com should not be accessing 127.0.0.1, etc.; uMatrix (addon) has done this for a while. (Auto-block local IPs unless the domain is a local IP.) Good idea to add a few addons to your browser if you want tip top security against web threats...