What's new

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Firmware flashing malware could be neutered by requiring a button on the physical device is pressed that would enable flashing for 120 seconds or something. If no flash is initiated in that time the router's state returns to read only. Sure, some people might actually get up and press the button to allow malware to flash, but that would be a lot more rare than allowing random flashing without user interaction.
 
Firmware flashing malware could be neutered by requiring a button on the physical device is pressed that would enable flashing for 120 seconds or something. If no flash is initiated in that time the router's state returns to read only. Sure, some people might actually get up and press the button to allow malware to flash, but that would be a lot more rare than allowing random flashing without user interaction.
That wouldn't be possible because the flash memory is a single device that's just partitioned into different sections. The firmware requires write access to "nvram" and "jffs" to work. This particular malware isn't "flashing" a whole new firmware, it's writing a small amount of data directly to the flash memory.
 
Ok. I thought I read that it affected the firmware. It looks like it doesn't actually do anything to the firmware, it's just adding some scripts and adding/changing NVRAM variables.
 
I think the key phrase is "Publicly available". I would be willing to bet Asus is fully aware and already working to address the vulnerability.
 
Ok. I thought I read that it affected the firmware. It looks like it doesn't actually do anything to the firmware, it's just adding some scripts and adding/changing NVRAM variables.
It wasn't clear to me which partitions it was writing to and TM didn't specify what it was writing. But it doesn't matter whether they're writing to the firmware partition or any other partition (e.g. nvram), they're all part of the same flash memory chip.
 
It wasn't clear to me which partitions it was writing to and TM didn't specify what it was writing. But it doesn't matter whether they're writing to the firmware partition or any other partition (e.g. nvram), they're all part of the same flash memory chip.
That doesn't do away with the hardware intervention approach entirely surely?

Would mean a harder implementation (ie big architectural change on next gen of routers) but separating out critical (requiring button press to allow new firmware) and non-critical between two separate chips and adjusting the firmware would still be an option.

I suspect that would be a bit of a nightmare to track everything down that's used to free reign over the chip and lead to stability issues for a while on the new model though. (Poor stability meaning loss of reputation, loss of sales and end of the approach)
 
It wasn't clear to me which partitions it was writing to and TM didn't specify what it was writing. But it doesn't matter whether they're writing to the firmware partition or any other partition (e.g. nvram), they're all part of the same flash memory chip.
They might be on the same chip, but the consequences are very different. Users cannot write to the partition reserved for firmware other than to pass a firmware file that passes the preliminary checks, for one. More importantly users cannot modify or delete files in the partition reserved for firmware. That makes flashing the only possible recovery option. If the malware is written to NVRAM or JFFS the user can just remove it without reflashing.

It's a bit like the difference between a "regular" virus and a boot sector virus on a conventional hard drive.
 
They might be on the same chip, but the consequences are very different. Users cannot write to the partition reserved for firmware other than to pass a firmware file that passes the preliminary checks, for one. More importantly users cannot modify or delete files in the partition reserved for firmware. That makes flashing the only possible recovery option. If the malware is written to NVRAM or JFFS the user can just remove it without reflashing.

It's a bit like the difference between a "regular" virus and a boot sector virus on a conventional hard drive.
Sorry, you've lost me. I thought you were proposing a hardware switch that disabled write access to the flash memory. Now you seem to be talking about something different.
 
Sorry, you've lost me. I thought you were proposing a hardware switch that disabled write access to the flash memory. Now you seem to be talking about something different.
I was talking about a switch that disabled flashing firmware, which as you're describing it is one partition on the same flash chip.
 
Ripped from the Watchguard website:

Based on our own investigation, an investigation conducted jointly with Mandiant, and information provided by the FBI, WatchGuard has concluded the following:
  • Based on current estimates, Cyclops Blink may have affected approximately 1% of active WatchGuard firewall appliances; no other WatchGuard products are affected.
  • Firewall appliances are not at risk if they were never configured to allow unrestricted management access from the internet. Restricted management access is the default setting for all WatchGuard’s physical firewall appliances.
  • There is no evidence of data exfiltration from WatchGuard or its customers.
  • WatchGuard’s own network has not been affected or breached.
WatchGuard's firewall appliances are primarily used by business customers. As such, we have no reason to believe that Cyclops Blink's activities affecting WatchGuard appliances impacted individual consumers.

It may be an assumption on my part, but when Asus mentions not enabling Remote Administration in their Security Advisory and Watchguard also advises against enabling unrestricted management access from the Internet, I think that is the likely vector being exploited.

Watchguard also states that "firewall appliances are not at risk if they were never configured to allow unrestricted management access from the internet".
 
I was talking about a switch that disabled flashing firmware, which as you're describing it is one partition on the same flash chip.
Well anything is possible. But it would have to be an entirely hardware solution. Either by having a separate chip just for the firmware, or allocating a fixed-size block within a single chip. It's not that uncommon for embedded devices to require you to open the case and temporarily move a jumper into the "flash" position. Somehow I doubt Asus is going to go down that route, but you never know.
 
Well anything is possible. But it would have to be an entirely hardware solution. Either by having a separate chip just for the firmware, or allocating a fixed-size block within a single chip. It's not that uncommon for embedded devices to require you to open the case and temporarily move a jumper into the "flash" position. Somehow I doubt Asus is going to go down that route, but you never know.
Brings back memories of having to move or install a "jumper" pin in order to reflash a a device. Or even further back, when an update required an eeprom burner and blank chip :)
 
...
It may be an assumption on my part, but when Asus mentions not enabling Remote Administration in their Security Advisory and Watchguard also advises against enabling unrestricted management access from the Internet, I think that is the likely vector being exploited.

Watchguard also states that "firewall appliances are not at risk if they were never configured to allow unrestricted management access from the internet".
I have SSH and web access restricted to the LAN. The only thing I have enabled to the outside world is my OpenVPN server, with certificates for authentication (no username/password).

Does this setup qualify for "restricted management access"?

Should I check something else?
 
I have SSH and web access restricted to the LAN. The only thing I have enabled to the outside world is my OpenVPN server, with certificates for authentication (no username/password).

Does this setup qualify for "restricted management access"?

Should I check something else?

Perfect.
 
Do you have reason to believe your router might be compromised? If yes, then reflashing the firmware is advised on top of doing a factory default reset, without restoring from a settings backup unless you are positive this backup was made while your router was clean, and not from a too old firmware version.

Note that if you never exposed any of the router services to the Internet, then the chances of your router being compromised are very low (could still have happened through a cross site vulnerability, for instance).

At the moment, the only publicly available information is what was published in the Trend Micro write up and Asus's security bulletin. Also note that Trend Micro analyzed one specific variant. Their write up hints at the possibility of other variants existing (potentially targeting other devices than Watchguard Firebox or Asus. routers).


The malware does not reflash the whole firmware in this case. They directly write into the MTD flash device.
Thanks @RMerlin : Although I did not suspect any compromises, just to be sure I re-flashed 386.5, did a nuclear reset, manually reentered all my settings and did a couple reboots with a power cycle. Took a couple hours but I feel safer in doing so.
 
This issue seems to mention only AC routers. I had flashed my AC router (used as a wired AP) on Mar-13-2022 which is connected to my main router AX86U. Both devices were flashed to Merlin latest versions on Mar-13. Also, my router or AP were never exposed / managed outside my home. Should I be worried or need to re-flash either AC access point or AX router or both?
 
Last edited:
Good evening everyone! Just joined the forum today and I spent quite a while researching the malware since it explicitly called out my router in the affected lists on numerous articles and notices from all over google. After reading through all of the comments on here, I am thinking my current RT-AC87R is OK for now. However, I went ahead and ordered a new RT-AX86U from Best Buy yesterday, which should be here soon. I am happy that I got about 7 years of good use out of it - bought it back in 2015. I am only irritated that I overlooked the fact that Lifetime TrendMicro did not equate to lifetime firmware updates too.

I'm running the stock - 3.0.0.4.382_52545 firmware with Web access, SSH, Telnet, ICMP Ping Response WAN disabled. Only have a handful of ports forwarded for a game server I host to WAN. I also utilize OpenVPN server for accessing my home network.

Do yall think they will update the firmware for EOL products to curb malware or botnets? Is it worth still using my router even though its EOL? The AiMesh was one feature i had thought about using the old router for. I don't like getting rid of tech that still works great and can be repurposed. I have looked at DD-WRT but need to do more research for features and what not that would be lost/gained.
 
Since no one knows the attack vector with certainty, rather than say, "Perfect", I would say that this is as good as can be done.
Right, after going through this thread. This is the punchline. The answer is, no one really can say for 100% yet. You can nuke and reflash but the exploit is still there. (Maybe)
 
Similar threads
Thread starter Title Forum Replies Date
XIII Trend Micro exploring sale General Network Security 2

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top