Monday, March 21st 2022
Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm
If you own an Asus 802.11ac/WiFi 5 router, you might want to make sure your firmware is up-to-date, as several models are at risk of being infected by a Russian botnet malware. The group behind the worm, which goes under the name of Cyclops Blink, is Sandworm APT, the same group that created the VPNFilter botnet a few years ago. Cyclops Blink was detected by Trend Micro and although it seems it doesn't cause any direct harm to the network behind the router it infects at this point in time, it is a persistent malware and is believed to be a first of its kind. Unlike most malware that attack routers, the Cyclops Blink worm can save itself to the flash memory in the router, so even a factory reset won't wipe it off.
That said, a firmware flash will remove it and according to a security bulletin from Asus, the company advises all of its customers to install the latest firmware. On top of this, Asus also recommends to turn off remote management, if enabled and to change the admin login credentials and make sure to use a complex password. However, the company doesn't have an update that is guaranteed to prevent the malware from infecting their products, since at this point in time, it's unclear how the Cyclops Blink worm infects routers. Prior to the Asus routers listed below getting attacked, the malware was mainly going after WatchGuard Firebox devices, which are generally only used by businesses. Based on the information provided by Trend Micro, it looks like Asus is unlikely to be the only brand of routers that will be targeted by the malware, so even if you don't own an Asus router, it would be a good idea to make sure your firmware is up to date. Another option would be to install a third party firmware, although the Merlin firmwares for Asus are also likely to be affected, based on comments by the authour of the firmware over on the Small Net Builder forums.
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.
To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com), go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log", and then click Restore button"
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
Affected products
Sources:
Asus, Trend Micro, via Small Net Builder
That said, a firmware flash will remove it and according to a security bulletin from Asus, the company advises all of its customers to install the latest firmware. On top of this, Asus also recommends to turn off remote management, if enabled and to change the admin login credentials and make sure to use a complex password. However, the company doesn't have an update that is guaranteed to prevent the malware from infecting their products, since at this point in time, it's unclear how the Cyclops Blink worm infects routers. Prior to the Asus routers listed below getting attacked, the malware was mainly going after WatchGuard Firebox devices, which are generally only used by businesses. Based on the information provided by Trend Micro, it looks like Asus is unlikely to be the only brand of routers that will be targeted by the malware, so even if you don't own an Asus router, it would be a good idea to make sure your firmware is up to date. Another option would be to install a third party firmware, although the Merlin firmwares for Asus are also likely to be affected, based on comments by the authour of the firmware over on the Small Net Builder forums.
To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com), go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log", and then click Restore button"
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
Affected products
- GT-AC5300 firmware under 3.0.0.4.386.xxxx
- GT-AC2900 firmware under 3.0.0.4.386.xxxx
- RT-AC5300 firmware under 3.0.0.4.386.xxxx
- RT-AC88U firmware under 3.0.0.4.386.xxxx
- RT-AC3100 firmware under 3.0.0.4.386.xxxx
- RT-AC86U firmware under 3.0.0.4.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
- RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
- RT-AC3200 firmware under 3.0.0.4.386.xxxx
- RT-AC2900 firmware under 3.0.0.4.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL)
34 Comments on Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm
both have viruses and bugs to look out for ...
more than ever you gotta look for cures and medicines and what not
My own conclusion is that it could be the Broadcom SDK that's the issue here, as no-one of Asus' routers with MTK it Qualcomm hardware are affected. Since WiFi 6 models aren't affected as yet, it could be an older version of their SDK that's the issue, as those often don't get updated by the router SoC manufacturers...
Spooky
The Asus security advisory has remote management turned off as part of the migration for this exploit and that is already always turned off on my side.
www.asus.com/content/ASUS-Product-Security-Advisory/
Updated the firmware will erase the worm from an infected router, but it could be infected again, straight away once it's back online.
I'm not saying anyone should be worried about this thing, but it should be taken for what it is, as those with one of the routers on the list, could unwillingly end up as part of a russian botnet.
I will be monitoring the SNB thread for this as there has been some useful information posted there.
www.snbforums.com/threads/trend-micro-cyclops-blink-sets-sights-on-asus-routers.77953/
But as you don't have one of the affected models so far, I wouldn't be overly concerned.
That said, Trend Micro seem to suggest they're expecting this worm to spread to other brands as well, so we should all pay attention to the developments.
DD-WRT or OpenWRT might be an option for some of those models.
Very rarely manufacturers introduce some hotfix for a major issue in their EOL products, and only because said products are very popular and still in active use among huge user base.
- RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
My AC68U is on fw 9.0.0.4.386_41994-g769f84f.... version 3 seems a bit old to be even mentioned o_OThanks for the heads up.