Monday, March 21st 2022
Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm
If you own an Asus 802.11ac/WiFi 5 router, you might want to make sure your firmware is up-to-date, as several models are at risk of being infected by a Russian botnet malware. The group behind the worm, which goes under the name of Cyclops Blink, is Sandworm APT, the same group that created the VPNFilter botnet a few years ago. Cyclops Blink was detected by Trend Micro and although it seems it doesn't cause any direct harm to the network behind the router it infects at this point in time, it is a persistent malware and is believed to be a first of its kind. Unlike most malware that attack routers, the Cyclops Blink worm can save itself to the flash memory in the router, so even a factory reset won't wipe it off.
That said, a firmware flash will remove it and according to a security bulletin from Asus, the company advises all of its customers to install the latest firmware. On top of this, Asus also recommends to turn off remote management, if enabled and to change the admin login credentials and make sure to use a complex password. However, the company doesn't have an update that is guaranteed to prevent the malware from infecting their products, since at this point in time, it's unclear how the Cyclops Blink worm infects routers. Prior to the Asus routers listed below getting attacked, the malware was mainly going after WatchGuard Firebox devices, which are generally only used by businesses. Based on the information provided by Trend Micro, it looks like Asus is unlikely to be the only brand of routers that will be targeted by the malware, so even if you don't own an Asus router, it would be a good idea to make sure your firmware is up to date. Another option would be to install a third party firmware, although the Merlin firmwares for Asus are also likely to be affected, based on comments by the authour of the firmware over on the Small Net Builder forums.
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.
To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com), go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log", and then click Restore button"
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
Affected products
Sources:
Asus, Trend Micro, via Small Net Builder
That said, a firmware flash will remove it and according to a security bulletin from Asus, the company advises all of its customers to install the latest firmware. On top of this, Asus also recommends to turn off remote management, if enabled and to change the admin login credentials and make sure to use a complex password. However, the company doesn't have an update that is guaranteed to prevent the malware from infecting their products, since at this point in time, it's unclear how the Cyclops Blink worm infects routers. Prior to the Asus routers listed below getting attacked, the malware was mainly going after WatchGuard Firebox devices, which are generally only used by businesses. Based on the information provided by Trend Micro, it looks like Asus is unlikely to be the only brand of routers that will be targeted by the malware, so even if you don't own an Asus router, it would be a good idea to make sure your firmware is up to date. Another option would be to install a third party firmware, although the Merlin firmwares for Asus are also likely to be affected, based on comments by the authour of the firmware over on the Small Net Builder forums.
To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com), go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log", and then click Restore button"
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
Affected products
- GT-AC5300 firmware under 3.0.0.4.386.xxxx
- GT-AC2900 firmware under 3.0.0.4.386.xxxx
- RT-AC5300 firmware under 3.0.0.4.386.xxxx
- RT-AC88U firmware under 3.0.0.4.386.xxxx
- RT-AC3100 firmware under 3.0.0.4.386.xxxx
- RT-AC86U firmware under 3.0.0.4.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
- RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
- RT-AC3200 firmware under 3.0.0.4.386.xxxx
- RT-AC2900 firmware under 3.0.0.4.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL)
34 Comments on Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm
This still doesn't protect you from the worm though, as so far, as pointed out, there's no new firmware that is supposed to do that.