Monday, March 21st 2022

Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm

If you own an Asus 802.11ac/WiFi 5 router, you might want to make sure your firmware is up-to-date, as several models are at risk of being infected by a Russian botnet malware. The group behind the worm, which goes under the name of Cyclops Blink, is Sandworm APT, the same group that created the VPNFilter botnet a few years ago. Cyclops Blink was detected by Trend Micro and although it seems it doesn't cause any direct harm to the network behind the router it infects at this point in time, it is a persistent malware and is believed to be a first of its kind. Unlike most malware that attack routers, the Cyclops Blink worm can save itself to the flash memory in the router, so even a factory reset won't wipe it off.

That said, a firmware flash will remove it and according to a security bulletin from Asus, the company advises all of its customers to install the latest firmware. On top of this, Asus also recommends to turn off remote management, if enabled and to change the admin login credentials and make sure to use a complex password. However, the company doesn't have an update that is guaranteed to prevent the malware from infecting their products, since at this point in time, it's unclear how the Cyclops Blink worm infects routers. Prior to the Asus routers listed below getting attacked, the malware was mainly going after WatchGuard Firebox devices, which are generally only used by businesses. Based on the information provided by Trend Micro, it looks like Asus is unlikely to be the only brand of routers that will be targeted by the malware, so even if you don't own an Asus router, it would be a good idea to make sure your firmware is up to date. Another option would be to install a third party firmware, although the Merlin firmwares for Asus are also likely to be affected, based on comments by the authour of the firmware over on the Small Net Builder forums.
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com), go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log", and then click Restore button"
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)
Sources: Asus, Trend Micro, via Small Net Builder
Add your own comment

34 Comments on Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm

#26
R-T-B
CallandorWoTlmao... in all honesty though it does sound like the name of some really bad sci fi novel from the 80s
Kind of like Russian daily life atm...
Posted on Reply
#27
TheLostSwede
News Editor
mechtechOnly Asus or all wrt firmware??
Only Asus and Merlin it seems, so far.
Bruno_O
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
My AC68U is on fw 9.0.0.4.386_41994-g769f84f.... version 3 seems a bit old to be even mentioned o_O
Most likely a typo from Asus side somewhere. The important part is the 4.386 bit.
This still doesn't protect you from the worm though, as so far, as pointed out, there's no new firmware that is supposed to do that.
Posted on Reply
#28
Tarkhein
Bruno_O
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
My AC68U is on fw 9.0.0.4.386_41994-g769f84f.... version 3 seems a bit old to be even mentioned o_O
TheLostSwedeOnly Asus and Merlin it seems, so far.


Most likely a typo from Asus side somewhere. The important part is the 4.386 bit.
This still doesn't protect you from the worm though, as so far, as pointed out, there's no new firmware that is supposed to do that.
It's not a typo, Bruno_O is on beta firmware. Asus set the version number for their beta firmware as v9 and label their stable firmware v3. The actual important number is the revision number which comes after the 4.386_ bit. In Bruno_O's case, they are on revision 41994 whereas the latest firmware per Makaveli's post is revision 46065.
Posted on Reply
#29
hojnikb
Remember boys, if the router doesn't have OpenWRT support, it might as well be useless landfill.
Posted on Reply
#30
kiriakost
I have ASUS switch-hub five ports 1000, since 2005 no one succeed to hack it. :p
Posted on Reply
#31
5 o'clock Charlie
Thank you @TheLostSwede for posting this news. Hopefully Asus will provide more information after they complete their investigation. I have friends using some of these routers, so I will notify them accordingly.
Posted on Reply
#32
Juventas
What about models they don't provide updates for? I have friends and family with RT-N66U that hasn't been updated since 2020. I know third-party firmware exists, but I can't travel around the country to do this for them.
Posted on Reply
#33
5 o'clock Charlie
Since I use the Merlin firmware, I just noticed on the 25th that a 386.5_2 firmware was released. Nothing about information on Cyclops Blink Worm in the release notes probably because based on the information provided here and on snb, those running 3.0.0.4.386.xxxx should be in the clear. Is that correct?
Posted on Reply
#34
Makaveli
5 o'clock CharlieSince I use the Merlin firmware, I just noticed on the 25th that a 386.5_2 firmware was released. Nothing about information on Cyclops Blink Worm in the release notes probably because based on the information provided here and on snb, those running 3.0.0.4.386.xxxx should be in the clear. Is that correct?
That is correct I updated to 386.5_2 yesterday.
Posted on Reply
Add your own comment
Mar 15th, 2025 22:25 EDT change timezone

New Forum Posts

Popular Reviews

Controversial News Posts