News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

[BikeHelmet]

RT-AC66U is MIPS.

It's ARM too. Most people get confused about the AC66U Revision B1 and AC66U_B1

The first is MIPS BCM4706, while the second is ARM BCM4708. Asus's stickers were extremely confusing. I owned both routers at one point.

 

[bennor]

Do yall think they will update the firmware for EOL products to curb malware or botnets?

Likely no one knows for certain until Asus officially indicates if they'll update the three listed EOL models (RT-AC87U, RT-AC66U, RT-AC56U). Probably best to keep an eye on, or out for, announcements directly from Asus:

https://www.asus.com/content/ASUS-Product-Security-Advisory/

Buried at the bottom of a techspot.com article posted yesterday, touches on those three EOL models:

Cyclops Blink botnet is attacking and actively exploiting Asus routers

The three models designated as EOL (end of life) are no longer supported and won't receive any firmware security updates. Asus recommends buying a new one.

If Asus doesn't update EOL products affected by this vulnerability/botnet then customers with those devices will have to find other ways to protect those devices or take them offline completely and buy new hardware. Some will stop buying Asus products altogether. As recent security vulnerabilities in other products have shown, some manufacturers (for example Western Digital and certain My Cloud models) simply stop supporting EOL or near EOL products and tell users to; remove them (or block them) from the internet or replace the affected product with a newer (supported) one. End of all firmware support/updates has always been fact of life with certain old/EOL products and certain manufacturers.

 

[Tech9]

It's ARM too. Most people get confused about the AC66U Revision B1 and AC66U_B1

Not me. RT-AC66U B1 (the ARM based RT-AC68U variant) is not EOL.

RT-AC66U B1｜WiFi Routers｜ASUS Global

ASUS has a range of wireless routers suitable for every purpose. Whether it's for your home, for business trips, or for any other need or environment, there's an ASUS router for you.

www.asus.com

ASUS WiFi Routers｜WiFi Routers｜ASUS Canada

ASUS has a range of wireless routers suitable for every purpose. Whether it's for your home, for business trips, or for any other need or environment, there's an ASUS router for you.

www.asus.com

 

[Neurogenesis]

This looks like all of the RT-AC routers, but what about the repeaters, is the RP-AC68U affected?

 

[jarek319]

quick question: I have Asus Merlin 386.5 installed, remote access disabled, and my admin password is non-default and pretty secure. Am I good or should I remove merlin and use the official Asus firmware until merlin is fixed?

 

[RMerlin]

hould I remove merlin and use the official Asus firmware until merlin is fixed?

At this time there is no indication that my firmware would be less secure. In fact it's possibly the opposite, since for instance I use a newer version of OpenVPN (among other things).

 

[AntonK]

Another take: Update your Asus router’s firmware right now or risk botnet infection

 

[ColinTaylor]

Another take: Update your Asus router’s firmware right now or risk botnet infection

Typical low quality reporting (regurgitating) you'd expect from PCWorld.

 

[dave14305]

It’s interesting that RMerlin just committed some lighttpd backports from Asus. May or may not be related to this issue. But if it is, it seems to point to weaknesses in AiDisk, AiCloud, etc.

I still don’t trust any security advisory with “xxxx” in the version list.

 

[RMerlin]

It’s interesting that RMerlin just committed some lighttpd backports from Asus. May or may not be related to this issue. But if it is, it seems to point to weaknesses in AiDisk, AiCloud, etc.

I still don’t trust any security advisory with “xxxx” in the version list.

These commits are not directly related. I had received a patch for it a few weeks ago, but needed to obtain the compiled versions since most of the patches were in the prebuilt objects. Since we don`t know which attack vector is used to infect devices, I want to get as many security patches in as I can at the moment. I plan to issue a 386.5_2 which will also include the recent OpenSSL security fixes (these are only a DoS vulnerability, they cannot be used to compromise a device).

I'd be surprised if this would be a main attack vector, since there are probably very few users enabling AiCloud, compared to people opening their webui access to the WAN for use with the management app.

 

[anotherengineer]

The operative word is under ..... in other words, anything OLDER than 3.0.0.4.386.xxxx


firmware under 3.0.0.4.386.xxxx

^^^^^

Vulnerable ASUS devices​

In an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to Cyclops Blink attacks:

• GT-AC5300 firmware under 3.0.0.4.386.xxxx
• GT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC5300 firmware under 3.0.0.4.386.xxxx
• RT-AC88U firmware under 3.0.0.4.386.xxxx
• RT-AC3100 firmware under 3.0.0.4.386.xxxx
• RT-AC86U firmware under 3.0.0.4.386.xxxx
• RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
• RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
• RT-AC3200 firmware under 3.0.0.4.386.xxxx
• RT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
• RT-AC87U (EOL)
• RT-AC66U (EOL)
• RT-AC56U (EOL)

so the N66U is fine then??

 

[explorer200]

I'd be surprised if this would be a main attack vector, since there are probably very few users enabling AiCloud, compared to people opening their webui access to the WAN for use with the management app.

This

I have been using Open VPN to connect to my remote routers because of the possibility of an exploit here

 

[Piotrek]

I plan to issue a 386.5_2 which will also include the recent OpenSSL security fixes (these are only a DoS vulnerability, they cannot be used to compromise a device).

Hi @RMerlin , Note that OpenVPN 2.5.6 is released.

This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547).

 

[willyburz]

So does anyone know why the list is only AC routers on the there and not AX routers? What's the differentiating factor here that makes them riskier?

 

[Ironic77]

Likely no one knows for certain until Asus officially indicates if they'll update the three listed EOL models (RT-AC87U, RT-AC66U, RT-AC56U). Probably best to keep an eye on, or out for, announcements directly from Asus:

https://www.asus.com/content/ASUS-Product-Security-Advisory/

Buried at the bottom of a techspot.com article posted yesterday, touches on those three EOL models:

Cyclops Blink botnet is attacking and actively exploiting Asus routers


If Asus doesn't update EOL products affected by this vulnerability/botnet then customers with those devices will have to find other ways to protect those devices or take them offline completely and buy new hardware. Some will stop buying Asus products altogether. As recent security vulnerabilities in other products have shown, some manufacturers (for example Western Digital and certain My Cloud models) simply stop supporting EOL or near EOL products and tell users to; remove them (or block them) from the internet or replace the affected product with a newer (supported) one. End of all firmware support/updates has always been fact of life with certain old/EOL products and certain manufacturers.

While I know literally nothing about this beyond what has been made public, some "common sense" observations for those falling trap to the "over sensationalization" that seems to be running amok:

1. At least given what has been made public by Trend & Asus, it seems very likely that anyone who has updated their router just once in the past 12 months should be fine as >=386 has been out for that amount of time. For those of us on top of our updates, there have been as many as 8 to 10 updates since then. Even if you had your reasons to wait a few months after an update ships, you should be fine. Of course, we know that the issue is more folks who don't ever update.
2. For routers that are unsupported (and have been for the past year), it seems perhaps like maybe you're past due for a router refresh. I get that there are a couple of exceptions, but for the most part, Asus does a MUCH better job than anyone else in the consumer router space. My last Linksys got - count it - ONE update in its entire lifetime. Worse, I kept waiting for updates that never came, because they didn't communicate the lifecycle. I've had my Asus router long enough to go through the warranty span many times over, open it up and replace the thermal paste, but I still get regular updates. If you're running a 10+ year old router, it might be time. It isn't like you can't get one that's much faster for less than you paid for that one 10+ years ago. And keep the old one to run as an extender or AP or spare if something happens. Some may even run open source if you venture down that path. Or, for ~$300 you can get a "router" (x64 PC) that likely never goes completely obsolete, provided you're willing to tinker and do what it takes to keep it running (not for the faint of heart).
3. Again, whilst we don't seem to know much about the specific vulnerability, it does seem clear that following best practices including, but not limited to, NOT opening your router up to remote administration is perhaps a factor. The only times I've ever suspected compromise were due to this.
4. Once a year or more, audit your router - check for features you enabled that you don't use. Check for abnormal activity like open ports or remote administration that you didn't enable. If you're compromised, hard reset fixes most issues, but if you're still unsure afterwards, just don't take the chance. The cost of a new router isn't worth the risk - and I'm all about not spending money. A compromised router puts your entire network and everything connected to it at risk.
5. If your router is behind another device with firewall/NAT (not that uncommon for ISPs who provide modem/router combos), or if it's running in any other mode besides router, you're probably ok, provided the main router itself isn't compromised. I certainly wouldn't chance it - always update everything - but running a WiFi AP that's a year behind on updates is maybe less risky than running a router sitting on the Internet.
6. I would bet that an inventory of all consumer routers out there, there are many, many more that are compromised in some way - but there's no one like Asus or Trend looking out for them - because sadly, many companies don't care after the sale is done.
7. Professional routers, even prosumer routers can be expensive and hard to maintain. This isn't necessarily the right answer for everyone either. I could have replaced my Asus router many times over for the price.

In the words of Douglas Adams: "Don't Panic".

 

[jarek319]

At this time there is no indication that my firmware would be less secure. In fact it's possibly the opposite, since for instance I use a newer version of OpenVPN (among other things).

even Asus's website doesn't sound like it promises the vuln will be patched just by updating to their stock firmware

ps | grep ktest | grep -v grep

returns nothing so I'm good?

 

[PRSXFENG]

Well I use an RT-AX53U and it concerns me

I sent an email to security@asus (listed on the advisory page)

Asking if AX routers are affected, and my RT-AX53U is still on the old 3.0.0.4.382.x codebase

I got the following as a response

Dear Sender,



Thanks for contacting ASUS.

Yes, we strongly recommend you update your router to the latest firmware and have a factory reset after firmware upgrade.

If your RT-AX53U router is on firmware 386.xxxxx then it will not affect by this malware.

For how to do firmware upgrade: [Wireless] How to update the firmware of your router to the latest version ? (ASUSWRT) | Official Support | ASUS Global

For how to reset router : [Wireless Router] How to reset the router to factory default setting? | Official Support | ASUS Global

For more router security advise: [Wireless] How to make my router more secure? | Official Support | ASUS Global



Thank you.





Best regards,

ASUS Security | ©ASUSTeK Computer Inc.


So does this mean AX routers are also affected? My RT-AX53U hasnt seen an update since Jan which is still on the old .382
For now I disabled port forwarding, ddns, upnp and other stuff like download master in an attempt to close any holes

 

[Tech9]

So does this mean AX routers are also affected?

It means you've got standard copy & paste reply without much thinking or checking facts.

 

[follower]

Don't worry guys. AiProtection can protect you.

 

[RMerlin]

Hi @RMerlin , Note that OpenVPN 2.5.6 is released.

I know, already merged:

Mar 21 22:02:26 ovpn-client2[1978]: OpenVPN 2.5.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 21 2022

However it's mostly just a minor bugfix release. The only security issue it resolves doesn't affect Asuswrt.