Cyclops Blink is actively attacking and exploiting Asus routers

A network of bots russian modular call Cyclops Blink is kidnapping routers Asus around the world, supposedly in an attempt to build an army of compromised routers for use in cyber warfare. Hackers want to use vulnerable devices as command and control (C&C or C2) servers.

Cyclops Blink is a Kremlin-linked malware that has been around since 2019. It is linked to the elite hacking group Sandworm. According to the UK’s National Cyber ​​Security Center (NCSC), it was initially targeting devices Firebox from WatchGuard.

Sandworm was linked to other well-known cyberattacks, such as the ransomware NotPetyawhich has caused billions of dollars worth of damage worldwide since June 2017, and malware BlackEnergywhich is behind Ukraine’s blackouts of 2015-16.

What the experts say about it

The researchers from Trend Micro they point out that Cyclops Blink casts a wide net in terms of the devices it infects, without specifically targeting high-value government or diplomatic entities. Hackers compromised some of the infected computers more than two and a half years ago.

Cyclops Blink attempts to establish persistence of threat actors on the device, creating a remote access point to compromised networks. Thanks to its modular design, it can be easily upgraded to attack new devices. He has recently obtained a new module that allows him to attack Asus routers.

Trend Micro notes that the targets do not appear to be of particular value for cyber warfare. But hey, this may just be appearance. In addition, the researchers believe that there is another vendor with compromised firmware, but unfortunately, they are not yet able to identify the vendor.

These are the affected models and the solution offered by the manufacturer

The company has provided the affected Asus model numbers and firmware details, which are as follows:

GT-AC5300
GT-AC2900
RT-AC5300
RT-AC88U
RT-AC3100
RT-AC86U
RT-AC68U
AC68R
AC68W
AC68P
RT-AC66U_B1
RT-AC3200
RT-AC2900
RT-AC1900P
RT-AC1900P
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)

Asus has not released any new updates for firmwarebut has posted the following mitigation instructions:

• Reset the device to factory defaults: Log in the web GUI, go to Administration → Restore/Save/Load Settings, click “Initialize all settings and clear all data log”, then , click the Restore button.
• Update to the latest firmware available.
• Make sure the default administrator password has been changed to a more secure one.
• Disable remote management (disabled by default, can only be enabled through advanced settings).

The three models designated as EOL (end of life) are no longer supported and will not receive any firmware security updates. In these cases, Asus recommends buying a new one. The security advisory related to WatchGuard network devices can be found at the following link.

If Asus releases any official statement, we will surely be informing you. For now, if you have one of the aforementioned devices, we recommend that you follow the instructions provided by the manufacturer as soon as possible.

What do you think of Cyclops Blink? Do you have an Asus router?

Source: NCSC