News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

Jbennett360 · Mar 26, 2022

New update out for the AC86U.

25/03/22 - 3.0.0.4.386.48260

Release - ASUS RT-AC86U Firmware version 3.0.0.4.386.48260

Version 3.0.0.4.386.48260 2022/03/25 62.81 MBytes ASUS RT-AC86U Firmware version 3.0.0.4.386.48260 1. Fixed OpenSSL CVE-2022-0778 2. Added more security measures to block malware. 3. Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec. 4. Fixed CVE-2022-23970, CVE-2022-23971...

www.snbforums.com

cptnoblivious · Mar 26, 2022

ColinTaylor said:
Thanks for the info. The list of routers is unchanged. The only difference between this advisory and the previous one is;

a) Wording has been clarified from "firmware under 3.0.0.4.386.xxxx" to "firmware = 3.0.0.4.384.xxxx or earlier version"

b) RT-AC3200 has changed from "firmware under 3.0.0.4.386.xxxx" to "We advise users to reset the router and disable remote connection. New firmware will be released soon." No doubt because the most recent firmware available for that model is 382.52545.

So the RT-AC3200 advice is all that's really changed.

I'm glad they cleared up the wording on the affected versions

Ai_ · Mar 26, 2022

faria said:
I have made a list of the ips to add to Skynet, I'm guessing if Skynet starts blocking such outbound ips then its safe to assume that the router is compromised , but as you said this most likelly keeps changing/adding new ips.
https://github.com/fariajose/skynet/blob/main/Cyclops-Blink-CC-servers.txt

Code:

firewall banmalware https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt

or

Code:

firewall import blacklist https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt "Cyclops"

https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt

Thanks, I have added this list to (my installation of) Adguard Home.

Tech9 · Mar 27, 2022

Ai_ said:
Thanks, I have added this list to (my installation of) Adguard Home.

AdGuard Home is a DNS based blocker. This is an IP address blocklist. Are you sure it's working with AdGuard Home?

Ai_ · Mar 27, 2022

@Tech9 it let me import it a list indeed I need to add it to the firewall don't i

Tech9 · Mar 27, 2022

You need to use it with Skynet (IP-blocker), not with AdGuard (DNS-blocker).

develox · Mar 28, 2022

ColinTaylor said:
As this list of IP addresses comes from the Trend Micro document I think it's safe to assume that enabling AiProtection would have the same effect (and potentially be more up to date). I also suspect that Asus have employed "other protections" in the firmware that are active even without AiProtection being enabled.

Hey Colin,

this makes me think: is there a way to check the current lists used by AiProtection ?

ColinTaylor · Mar 28, 2022

develox said:
this makes me think: is there a way to check the current lists used by AiProtection ?

I'd guess probably not, but then I don't use AiProtection so can't check that.

develox · Mar 28, 2022

ColinTaylor said:
I'd guess probably not, but then I don't use AiProtection so can't check that.

I se, thanks anyway. Sorry for the OT, my thinking about it is that I don't rely on it too much (or slightly a bit less if possible). But then I also wonder if it does any harm. Perhaps on performance ? (Though this month I upgraded to an AX88U just to overcome any performance limit, as much as I can at least).
Anyway, for a good measure, I've imported @faria's list into Skynet (thanks faria!)and tested it working as expected with a simple ping. It won't be enough, but it shouldn't harm either.

bennor · Apr 2, 2022

Another Asus Cyclops update on their security advisory page:

04/01/2022 Security Advisory update for Cyclops Blink ∇
ASUS has released new firmware that included more security measures to block malware.
ASUS strongly recommends that users update the firmware to the latest version.
To check the latest version, please visit the relevant ASUS support website. Download links are in the below table.

Model name	Firmware download path
GT-AC5300	https://www.asus.com/supportonly/GT-AC5300/HelpDesk_BIOS/
GT-AC2900	https://rog.asus.com/networking/rog-rapture-gt-ac2900-model/helpdesk_bios
RT-AC5300	https://www.asus.com/supportonly/RT-AC5300/HelpDesk_BIOS/
RT-AC88U	https://www.asus.com/supportonly/RT-AC88U/HelpDesk_BIOS/
RT-AC3100	https://www.asus.com/supportonly/RT-AC3100/HelpDesk_BIOS/
RT-AC86U	https://www.asus.com/supportonly/RT-AC86U/HelpDesk_BIOS/
RT-AC68U	https://www.asus.com/supportonly/RT-AC68U/HelpDesk_BIOS/
RT-AC68R	https://www.asus.com/supportonly/RT-AC68R/HelpDesk_BIOS/
RT-AC68W	https://www.asus.com/supportonly/RT-AC68W/HelpDesk_BIOS/
RT-AC68P	https://www.asus.com/supportonly/RT-AC68P/HelpDesk_BIOS/
RT-AC66U_B1	https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AC66U-B1/
RT-AC3200	https://www.asus.com/supportonly/RT-AC3200/HelpDesk_BIOS/
RT-AC2900	https://www.asus.com/supportonly/RT-AC2900/HelpDesk_BIOS/
RT-AC1900P	https://www.asus.com/supportonly/RT-AC1900P/HelpDesk_BIOS/
RT-AC1900	https://www.asus.com/supportonly/RT-AC1900/HelpDesk_BIOS/

If you have already installed the latest firmware version, please disregard this notice.
Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system: https://www.asus.com/securityadvisory/
For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292

coxhaus · Apr 6, 2022

Sounds like there have been multiple people in ASUS routers. Sounds like the FBI has patched a lot of ASUS routers.

U.S. FBI says it foiled a cyberattack by Russian hackers (msn.com)

coxhaus · Apr 6, 2022

This is the FBI patching the malware remotely on ASUS routers. So, I guess if you have not upgraded your ASUS router then the FBI patched it for you if you had the malware. I am not sure how it works but the article seems to imply they did it.

ColinTaylor · Apr 6, 2022

coxhaus said:
This is the FBI patching the malware remotely on ASUS routers. So, I guess if you have not upgraded your ASUS router then the FBI patched it for you if you had the malware. I am not sure how it works but the article seems to imply they did it.

There's some better reporting here and here. Looks like they neutralised the network by taking down the C&C servers, but didn't touch the infected bot devices:

The operation did not, however, access the remote-control Cyclops Blink malware on thousands of individual devices worldwide.

Reading between the lines it seems like most the the C&C servers were WatchGuard devices.

Justinh · Apr 6, 2022

coxhaus said:
This is the FBI patching the malware remotely on ASUS routers.

I don't get the idea that that FBI was patching our routers. However, the WatchGuard coordinated with the FBI to let them access their devices. None of the articles are very clear.

James8888 · Apr 7, 2022

Dear Sir,
Would you please give us a Asus rt-ac3200 cyclops blink fixed version (merlin firmware)?

I have 3 Asus rt-ac3200 routers with my brother and sister.

Thank you very much.

Best Regards, James.

AndreiV · Apr 7, 2022

Merlin no longer supports that model. You need to go back to ASUS official firmware which was updated for this issue.

It should be noted that not using the latest firmware will leave you vulnerable to any other exploits that are around. You need to change back to ASUS firmware or buy new routers.

bennor · Apr 7, 2022

More news on Cyclops Blink:

Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.

Feds take down Kremlin-backed Cyclops Blink botnet

National Cyber Security Centre: Cyclops Blink Malware Analysis Report (23 Feb 2022)

Deepcuts · Apr 7, 2022

Fun times for those using their products

WatchGuard failed to explicitly disclose critical flaw exploited by Russian hackers

Silently fixed authentication bypass remained a secret even after it was under attack.

arstechnica.com

coxhaus · Apr 7, 2022

Justinh said:
I don't get the idea that that FBI was patching our routers. However, the WatchGuard coordinated with the FBI to let them access their devices. None of the articles are very clear.

What about the ASUS routers that there are no more new updates for? How were they patched?

ColinTaylor · Apr 7, 2022

coxhaus said:
What about the ASUS routers that there are no more new updates for? How were they patched?

As explained above the Asus routers weren't patched, it was the C&C servers that were disabled.

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

Senior Member

Senior Member

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Regular Contributor

Part of the Furniture

Regular Contributor

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Senior Member

New Around Here

Very Senior Member

Part of the Furniture

Regular Contributor

Part of the Furniture

Part of the Furniture

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest