News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

[TexasFlood]

Thanks everyone, sincere appreciate your help! Shall I ask the admin to delete this post so others don’t get confused (like I did). ?

I was concerned. I also have a RT-AX86U and didn't want to miss anything. Looks like I'm good, for now anyway. Fingers crossed, knock on wood.

 

[PRSXFENG]

Ideally you want the output of the ps and iptables commands to not show any results (like in the example).

Interestingly, I have

Chain OUTPUT (policy ACCEPT 7949 packets, 7020K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4672
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662

In that list, but upon further investigation this seems to be the Download Master port forwarding itself for P2P and stuff

 

[ColinTaylor]

Interestingly, I have

Chain OUTPUT (policy ACCEPT 7949 packets, 7020K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4672
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662

In that list, but upon further investigation this seems to be the Download Master port forwarding itself for P2P and stuff

Yeah, that's why I said at the beginning of that post "or there are unexpected entries" as it's not possible for me to predict every possible change a user may have made to their router. The user will have to use their judgement whether any entries found are suspicious. So thanks for highlighting the Download Master stuff.

 

[sfx2000]

Not trying to single out Broadcom as the bad guy here and I have recommended Asus routers to people that are looking to buy a router, just saying it's a possibility, as Broadcom based routers have been targeted before.

It could be anybody's SDK, so I agree - not just Broadcom this time around. That being said, if it is indeed a Broadcom item, then other OEM's can be at risk.

That's the scary thing with how much of the development goes these days in consumer HW - drop in the vendor SDK, wrap it with a custom web UI, and ship it...

 

[sfx2000]

Well anything is possible. But it would have to be an entirely hardware solution. Either by having a separate chip just for the firmware, or allocating a fixed-size block within a single chip.

Just do like I so... sign the file system

eCryptfs

The enterprise cryptographic filesystem for Linux

www.ecryptfs.org

Nothing can be modified without the keys, otherwise the block won't match, and it can't mount

 

[ColinTaylor]

Just do like I so... sign the file system

eCryptfs

The enterprise cryptographic filesystem for Linux

www.ecryptfs.org

Nothing can be modified without the keys, otherwise the block won't match, and it can't mount

That doesn't help much if the malware is running on the router with full access to everything including any keys and APIs that the firmware uses for it's own auto-update process. So I'd put that in the "anything is possible" category. Yes, it's possible but it would require a complete redesign of the way the router works (which would probably be a good thing ).

 

[Yota]

Just do like I so... sign the file system

eCryptfs

The enterprise cryptographic filesystem for Linux

www.ecryptfs.org

Nothing can be modified without the keys, otherwise the block won't match, and it can't mount

That doesn't help much if the malware is running on the router with full access to everything including any keys and APIs that the firmware uses for it's own auto-update process. So I'd put that in the "anything is possible" category. Yes, it's possible but it would require a complete redesign of the way the router works (which would probably be a good thing ).

For restricting routers from flashing firmware, making it harder for most people who don't update firmware often, I think automatic updates are a way to protect those people. Running outdated and vulnerable firmware is an even bigger risk.

 

[sfx2000]

For restricting routers from flashing firmware, making it harder for most people who don't update firmware often, I think automatic updates are a way to protect those people. Running outdated and vulnerable firmware is an even bigger risk.

You can do signed code and still keep it open - there's key management that has to be considered, but it's not impossible.

cyclops-blink - if it were to attempt to write to a code signed MTD block, the mounting of that block will fail, as the sig no longer matches - then it's rebuilding the FS, which is not impossible to do from the bootloader...

 

[sfx2000]

That doesn't help much if the malware is running on the router with full access to everything including any keys and APIs that the firmware uses for it's own auto-update process. So I'd put that in the "anything is possible" category. Yes, it's possible but it would require a complete redesign of the way the router works (which would probably be a good thing ).

It doesn't have "full access" in a signed file system...

I do agree, however, security is at its best when implemented design stage - trying to patch it in once in deployment/production is very difficult.

 

[ColinTaylor]

It doesn't have "full access" in a signed file system...

What I meant was that if the firmware has processes that can write to the file system (even when it's signed) then the malware authors will simply update the malware to use the same method, or use unsigned nvram, or some other technique.

I do agree, however, security is at its best when implemented design stage - trying to patch it in once in deployment/production is very difficult.

Indeed, that's something that would require a significant rework of the firmware by Asus rather than a simple patch. I don't see Asus doing that anytime soon. Anyway, if we want to play "this is how I would have done it" then I suggest that's discussed in a separate thread and we leave this one for addressing the actual issue with the firmware.

 

[BikeHelmet]

A lot of these hacks bypass external security by rerouting through a local device. That's how many security camera ones worked. (Though some of those also broadcast straight to the web.) The problem is webpages basically elevate to your device's security level unless you properly secure them. Windows has no loopback firewall/security, so by default any website can start doing unrequested connections to local network devices and programs running on the same computer, using XMLHttpRequest, etc - this happened to uTorrent and to many other programs. It's not so much a flaw with the program, as a flaw with Windows in general. One app shouldn't be able to spam ports that another app has open, unless you have explicitly allowed it. Specially crafted malware with knowledge of a router's login pages could hit local IPs like 192.168.0.1 using default credentials from your on-the-same-network Windows computer when you visit an infected site. Odds are it gets in, if you never changed your password. Good reason to enable captchas and use non-standard user/pass combinations.

One solution to this (other than web browsers implementing sane security policies, like restricting cross LAN-to-WAN activity unless you explicitly allow it) would be addons that do this for you, like uMatrix.

uMatrix makes you confirm so many components of a website when visiting it, odds are good that any malware that you encounter simply won't activate until you go and click a few times to allow it. Hit-and-run attacks are going to be a lot more rare. Attacks from ad networks? Quite commonplace, but would become quite rare indeed.

 

[follower]

A lot of these hacks bypass external security by rerouting through a local device. That's how many security camera ones worked. (Though some of those also broadcast straight to the web.) The problem is webpages basically elevate to your device's security level unless you properly secure them. Windows has no loopback firewall/security, so by default any website can start doing unrequested connections to local network devices and programs running on the same computer, using XMLHttpRequest, etc - this happened to uTorrent and to many other programs. It's not so much a flaw with the program, as a flaw with Windows in general. One app shouldn't be able to spam ports that another app has open, unless you have explicitly allowed it. Specially crafted malware with knowledge of a router's login pages could hit local IPs like 192.168.0.1 using default credentials from your on-the-same-network Windows computer when you visit an infected site. Odds are it gets in, if you never changed your password. Good reason to enable captchas and use non-standard user/pass combinations.

One solution to this (other than web browsers implementing sane security policies, like restricting cross LAN-to-WAN activity unless you explicitly allow it) would be addons that do this for you, like uMatrix.

uMatrix makes you confirm so many components of a website when visiting it, odds are good that any malware that you encounter simply won't activate until you go and click a few times to allow it. Hit-and-run attacks are going to be a lot more rare. Attacks from ad networks? Quite commonplace, but would become quite rare indeed.

Remember uMatrix has Vulnerability too. It's just like AdBlock something. I never recommend those extensions. You can be a victim of targeted attack.

 

[BikeHelmet]

Remember uMatrix has Vulnerability too. It's just like AdBlock something. I never recommend those extensions. You can be a victim of targeted attack.

The addon is sandboxed. Isn't that a step upward in security? Sure, you can pollute the blocklists and cause trouble that way, or crash it with what effectively amounts to a DDOS attack - but that leaves you with it turned off, which is the vulnerability. Or in other words, it enhances security, or at worst doesn't make it any worse than not having it?

uMatrix has an unfixed vulnerability: here is a workaround - gHacks Tech News

A vulnerability was disclosed recently that affects the discontinued but still popular browser extension uMatrix. A workaround is available!

www.ghacks.net

Still seems like a net positive to me.

If a hacker wanted to get me through it, and knew how much RAM I have, they'd give up on trying to crash it and move on to some other avenue.

 

[follower]

The addon is sandboxed. Isn't that a step upward in security? Sure, you can pollute the blocklists and cause trouble that way, or crash it with what effectively amounts to a DDOS attack - but that leaves you with it turned off, which is the vulnerability. Or in other words, it enhances security, or at worst doesn't make it any worse than not having it?

uMatrix has an unfixed vulnerability: here is a workaround - gHacks Tech News

A vulnerability was disclosed recently that affects the discontinued but still popular browser extension uMatrix. A workaround is available!

www.ghacks.net

Still seems like a net positive to me.

If a hacker wanted to get me through it, and knew how much RAM I have, they'd give up on trying to crash it and move on to some other avenue.

Oh no...
Sandboxed is not enough. Some malwares can neutralize sandbox. Do not too much trust sandbox. A firewall software for your system is far better than chrome extension. Extensions are just toys. That extension is only for browsers.

 

[bennor]

Appears Asus updated the Cyclops Blink security advisory notice today to include some additional routers/devices or additional information:

03/25/2022 Security Advisory for Cyclops Blink ∇
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI(http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button”
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products
GT-AC5300 firmware = 3.0.0.4.384.xxxx or earlier version
GT-AC2900 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC5300 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC88U firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC3100 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC86U firmware = 3.0.0.4.384.xxxx or earlier version.
RT-AC68U, AC68R, AC68W, AC68P firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC66U_B1 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC3200. We advise users to reset the router and disable remote connection. New firmware will be released soon.
RT-AC2900 firmware = 3.0.0.4.384.xxxx or earlier version.
RT-AC1900P, RT-AC1900P = 3.0.0.4.384.xxxx or earlier version.
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)

Please note that if you choose not to install this new firmware version then, to avoid any potential unwanted intrusion, we strongly recommend that you disable remote access from WAN and reset your router to its default settings.

If you have already installed the latest firmware version, please disregard this notice.

Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system:
https://www.asus.com/securityadvisory

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

 

[ColinTaylor]

Appears Asus updated the Cyclops Blink security advisory notice today to include some additional routers/devices or additional information:

03/25/2022 Security Advisory for Cyclops Blink ∇
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI(http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button”
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products
GT-AC5300 firmware = 3.0.0.4.384.xxxx or earlier version
GT-AC2900 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC5300 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC88U firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC3100 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC86U firmware = 3.0.0.4.384.xxxx or earlier version.
RT-AC68U, AC68R, AC68W, AC68P firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC66U_B1 firmware = 3.0.0.4.384.xxxx or earlier version
RT-AC3200. We advise users to reset the router and disable remote connection. New firmware will be released soon.
RT-AC2900 firmware = 3.0.0.4.384.xxxx or earlier version.
RT-AC1900P, RT-AC1900P = 3.0.0.4.384.xxxx or earlier version.
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)

Please note that if you choose not to install this new firmware version then, to avoid any potential unwanted intrusion, we strongly recommend that you disable remote access from WAN and reset your router to its default settings.

If you have already installed the latest firmware version, please disregard this notice.

Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system:
https://www.asus.com/securityadvisory

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

Thanks for the info. The list of routers is unchanged. The only difference between this advisory and the previous one is;

a) Wording has been clarified from "firmware under 3.0.0.4.386.xxxx" to "firmware = 3.0.0.4.384.xxxx or earlier version"

b) RT-AC3200 has changed from "firmware under 3.0.0.4.386.xxxx" to "We advise users to reset the router and disable remote connection. New firmware will be released soon." No doubt because the most recent firmware available for that model is 382.52545.

So the RT-AC3200 advice is all that's really changed.

 

[BikeHelmet]

Oh no...
Sandboxed is not enough. Some malwares can neutralize sandbox. Do not too much trust sandbox. A firewall software for your system is far better than chrome extension. Extensions are just toys. That extension is only for browsers.

What would you use on Windows? Linux has an abundance of quality security software, but Windows seems pretty lacking. I am in IT and always have to fix it when the antivirus or firewall breaks everything. Most of the virus infested PCs that I see run lots of security software, while most of the clean ones just run adblockers and script blockers and whatnot. I am just curious what you would use/recommend. What I see in real life indicates that some security software is glitchy, and some must have a target on its back.

Thinking back to 2021, I saw:
Bitdefender - took down a lawyer's office with broadcast traffic.
Bitdefender - DDOS'd a router's DNS server.
Bitdefender - broke logging into online banking.
Bitdefender - broke SSL websites.
ZoneAlarm - let stuff through - computer infected.
ZoneAlarm - let stuff through - computer infected.
Windows Defender - didn't protect from local <---> remote IP attack.
Norton - Redirected to two pages of bad search results, to really convince the user that it was doing a good job protecting them against garbage - and then failed to protect against that garbage.
Eset - Broke a network interface fully, no working removal tool available for Eset, windows reinstall required. (Their removal tool requires going into safemode, but this particular glitch took down safemode as soon as Eset tried to load. Normal windows was fine, but the removal tool will not run in normal windows. Go figure.)
Eset - Bad SSL update, required obscure toggle off/on for email and website protection to be re-enabled.
Avast - Constant popups/ads for Avast products. People purchasing concurrent identical products due to repeat advertising, etc.

Honestly, the clean computers that I see just run normal stuff like Windows Defender with Adblocking+Script Blocking. Typically on a non-Microsoft web browser.

Lol @ Norton - giving people terrible links so that it can then protect them and convince them it's doing a good job. This is where router-level protection really shines.

 

[itpp20]

Forget about those useless tools, start here: https://sandboxie-plus.com/

 

[follower]

What would you use on Windows? Linux has an abundance of quality security software, but Windows seems pretty lacking. I am in IT and always have to fix it when the antivirus or firewall breaks everything. Most of the virus infested PCs that I see run lots of security software, while most of the clean ones just run adblockers and script blockers and whatnot. I am just curious what you would use/recommend. What I see in real life indicates that some security software is glitchy, and some must have a target on its back.

Thinking back to 2021, I saw:
Bitdefender - took down a lawyer's office with broadcast traffic.
Bitdefender - DDOS'd a router's DNS server.
Bitdefender - broke logging into online banking.
Bitdefender - broke SSL websites.
ZoneAlarm - let stuff through - computer infected.
ZoneAlarm - let stuff through - computer infected.
Windows Defender - didn't protect from local <---> remote IP attack.
Norton - Redirected to two pages of bad search results, to really convince the user that it was doing a good job protecting them against garbage - and then failed to project against that garbage.
Eset - Broke a network interface fully, no removal tool available for Eset, windows reinstall required.
Eset - Bad SSL update, required obscure toggle off/on for email and website protection to be re-enabled.
Avast - Constant popups/ads for Avast products. People purchasing concurrent identical products due to repeat advertising, etc.

Honestly, the clean computers that I see just run normal stuff like Windows Defender with Adblocking+Script Blocking. Typically on a non-Microsoft web browser.

Lol @ Norton - giving people terrible links so that it can then protect them and convince them it's doing a good job. This is where router-level protection really shines.

View attachment 40373

I'm sorry to hear that. Those issues are user issue. For example, you should disable SSL scan something. It works only under certain environment and is not recommended. Nobody's using ZoneAlarm anymore. I never recommend Software Firewalls to normal users like I never recommend Unmanaged Switches and Dedicated Hardware Firewalls. Sometimes it hurts users than Malware. AV is just enough for them.

And

[KB2289] Manually uninstall your ESET product using the ESET uninstaller tool

support.eset.com

Download ESET AV Remover

This tool will help you to remove almost any antivirus software previously installed on your system.

www.eset.com

 

[thiggins]

Folks, let's stay on topic please.