What's new

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ASUS Product Security Advisory:

03/17/2022 Security Advisory for Cyclops Blink
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI(http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button”
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products

GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)

Please note that if you choose not to install this new firmware version then, to avoid any potential unwanted intrusion, we strongly recommend that you disable remote access from WAN and reset your router to its default settings.

If you have already installed the latest firmware version, please disregard this notice.

Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system:
https://www.asus.com/securityadvisory

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292
 
I'm wondering about that because it says affected version are below .386.xxxx, so anything with .386.wxyz should be fixed.
I’m assuming the worst that everything is vulnerable until the next Asus firmware release. But there isn’t any public information about the attack vector, AFAIK. Just broad recommendations to reset to defaults, flash latest firmware, and disable remote WAN access.

Asus’ own advisory states:
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.
 
Last edited:
flash latest firmware,
I would like to emphasize that. As the Trend Micro white paper mentioned, this malware does write directly to the flash. So, victims should REFLASH their current firmware even if there is no newer firmware available.
 
Moved to the Security forum because this is larger than only Asus routers.
 
I would like to emphasize that. As the Trend Micro white paper mentioned, this malware does write directly to the flash. So, victims should REFLASH their current firmware even if there is no newer firmware available.
Like VPNFilter the question for most people is how do you even figure out you're a victim?
 
Like VPNFilter the question for most people is how do you even figure out you're a victim?
Trend Micro published a python script that can be used to test (however it requires you to have a Linux host to use it). It's in the appendix of their whitepaper, along with a list of known C&C IPs.

They also mention the presence of a process called [ktest].
 
Trend Micro published a python script that can be used to test (however it requires you to have a Linux host to use it). It's in the appendix of their whitepaper, along with a list of known C&C IPs.

They also mention the presence of a process called [ktest].
I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.
 
I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.
That would make sense. I had a quick glance at it, and found it a bit confusing.
 
I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.
Indeed:
To validate a host suspected of being a Cyclops Blink C&C server, we wrote a script that would perform the TLS handshake, send a 4-byte packet, and wait for the 4-byte response from the server. The source code for the script is as follows:
 
I’m assuming the worst that everything is vulnerable until the next Asus firmware release. But there isn’t any public information about the attack vector, AFAIK. Just broad recommendations to reset to defaults, flash latest firmware, and disable remote WAN access.

Asus’ own advisory states:
Always good to assume the worst.

When reading the Asus advisory they state (towards the end) "If you have already installed the latest firmware version, please disregard this notice."

Would be great to get a confirmation of course :)
 
I read the advisory as saying 3.0.0.4.386.xxxx was vulnerable. @RMerlin ... can you clarify?

The operative word is under ..... in other words, anything OLDER than 3.0.0.4.386.xxxx


firmware under 3.0.0.4.386.xxxx

^^^^^

Vulnerable ASUS devices​

In an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to Cyclops Blink attacks:

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)
 
Similar threads
Thread starter Title Forum Replies Date
XIII Trend Micro exploring sale General Network Security 2

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top