Monday, March 21st 2022

Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm

If you own an Asus 802.11ac/WiFi 5 router, you might want to make sure your firmware is up-to-date, as several models are at risk of being infected by a Russian botnet malware. The group behind the worm, which goes under the name of Cyclops Blink, is Sandworm APT, the same group that created the VPNFilter botnet a few years ago. Cyclops Blink was detected by Trend Micro and although it seems it doesn't cause any direct harm to the network behind the router it infects at this point in time, it is a persistent malware and is believed to be a first of its kind. Unlike most malware that attack routers, the Cyclops Blink worm can save itself to the flash memory in the router, so even a factory reset won't wipe it off.

That said, a firmware flash will remove it and according to a security bulletin from Asus, the company advises all of its customers to install the latest firmware. On top of this, Asus also recommends to turn off remote management, if enabled and to change the admin login credentials and make sure to use a complex password. However, the company doesn't have an update that is guaranteed to prevent the malware from infecting their products, since at this point in time, it's unclear how the Cyclops Blink worm infects routers. Prior to the Asus routers listed below getting attacked, the malware was mainly going after WatchGuard Firebox devices, which are generally only used by businesses. Based on the information provided by Trend Micro, it looks like Asus is unlikely to be the only brand of routers that will be targeted by the malware, so even if you don't own an Asus router, it would be a good idea to make sure your firmware is up to date. Another option would be to install a third party firmware, although the Merlin firmwares for Asus are also likely to be affected, based on comments by the authour of the firmware over on the Small Net Builder forums.
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com), go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log", and then click Restore button"
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)
Sources: Asus, Trend Micro, via Small Net Builder
Add your own comment

34 Comments on Several Older Asus Routers at Risk of Being Infected by Cyclops Blink Worm

#2
TheLostSwede
CallandorWoTlmao... that name...
Maybe you could join the russian hacker army and help with their "product" naming and PR?
Posted on Reply
#3
CallandorWoT
TheLostSwedeMaybe you could join the russian hacker army and help with their "product" naming and PR?
lmao... in all honesty though it does sound like the name of some really bad sci fi novel from the 80s, or like some combat move from some horrible sci fi game that had no funding lol
Posted on Reply
#4
Hyderz
man technology stuff is just like your physical body isnt it?
both have viruses and bugs to look out for ...
more than ever you gotta look for cures and medicines and what not
Posted on Reply
#5
TheLostSwede
Hyderzman technology stuff is just like your physical body isnt it?
both have viruses and bugs to look out for ...
more than ever you gotta look for cures and medicines and what not
Well, they've found that having worms might not be bad for you... As long as it's not a malware worm...
Posted on Reply
#6
CallandorWoT
Hyderzman technology stuff is just like your physical body isnt it?
both have viruses and bugs to look out for ...
more than ever you gotta look for cures and medicines and what not
to be fair the human body is made of mostly billions of bacteria, so one has to begin to define, what exactly is human?
Posted on Reply
#7
DeathtoGnomes
TheLostSwedeat this point in time, it's unclear how the Cyclops Blink worm infects routers.
I would guess thru windows, maybe even a webpage? It cant be from a router update, that would mean ASUS was hacked, if everyone used an Asus to update.
Posted on Reply
#8
TheLostSwede
DeathtoGnomesI would guess thru windows, maybe even a webpage? It cant be from a router update, that would mean ASUS was hacked, if everyone used an Asus to update.
Well, it was targeting some kind of business routers initially, so not sure that's likely. The spread is also too big to be from a webpage or even multiple webpages.
Posted on Reply
#9
zlobby
Hyderzman technology stuff is just like your physical body isnt it?
both have viruses and bugs to look out for ...
more than ever you gotta look for cures and medicines and what not
It's just a different medium. Did you know that it's even entirely possible that there might be living plasma creatures that inhabit stars?
CallandorWoTto be fair the human body is made of mostly billions of bacteria, so one has to begin to define, what exactly is human?
Approx. 60% of our DNA isn't even ours.
Posted on Reply
#10
MadMan007
So sticking with my ancient RT-N66U pays off? I still has firmware updates, and my wireless clients are at distances such that higher frequency standards wouldn't benefit me.
Posted on Reply
#11
MaddoggMiranda
Solution: Run Fresh Tomato Custom Firmware (freshtomato.org) Clears NVRam when installed. Also unlocks router to far more capabilities that don't come with STOCK firmware.
Posted on Reply
#12
Makaveli
My Asus AX88U isn't on the list and i'm using a merlin firmware based on 3.0.0.4.386.xxxx so good here.
Posted on Reply
#13
TheLostSwede
MadMan007So sticking with my ancient RT-N66U pays off? I still has firmware updates, and my wireless clients are at distances such that higher frequency standards wouldn't benefit me.
WiFi 6 has added improvements to the 2.4GHz band.
MakaveliMy Asus AX88U isn't on the list and i'm using a merlin firmware based on 3.0.0.4.386.xxxx so good here.
Well, that's a maybe. Asus doesn't actually have a fix and as they haven't figured out the attack vector, more models could be affected.

My own conclusion is that it could be the Broadcom SDK that's the issue here, as no-one of Asus' routers with MTK it Qualcomm hardware are affected. Since WiFi 6 models aren't affected as yet, it could be an older version of their SDK that's the issue, as those often don't get updated by the router SoC manufacturers...
Posted on Reply
#15
Makaveli
TheLostSwedeWiFi 6 has added improvements to the 2.4GHz band.


Well, that's a maybe. Asus doesn't actually have a fix and as they haven't figured out the attack vector, more models could be affected.

My own conclusion is that it could be the Broadcom SDK that's the issue here, as no-one of Asus' routers with MTK it Qualcomm hardware are affected. Since WiFi 6 models aren't affected as yet, it could be an older version of their SDK that's the issue, as those often don't get updated by the router SoC manufacturers...
i'm not to worried about it.

The Asus security advisory has remote management turned off as part of the migration for this exploit and that is already always turned off on my side.

www.asus.com/content/ASUS-Product-Security-Advisory/
Posted on Reply
#16
TheLostSwede
Makavelii'm not to worried about it.

The Asus security advisory has remote management turned off as part of the migration for this exploit and that is already always turned off on my side.

www.asus.com/content/ASUS-Product-Security-Advisory/
Sorry, but you're reading it wrong. Those are not mitigations, they're suggestions from Asus that may or may not help, since as I pointed out, the attack vector is unknown.
Updated the firmware will erase the worm from an infected router, but it could be infected again, straight away once it's back online.

I'm not saying anyone should be worried about this thing, but it should be taken for what it is, as those with one of the routers on the list, could unwillingly end up as part of a russian botnet.
Posted on Reply
#17
Makaveli
TheLostSwedeSorry, but you're reading it wrong. Those are not mitigations, they're suggestions from Asus that may or may not help, since as I pointed out, the attack vector is unknown.
Updated the firmware will erase the worm from an infected router, but it could be infected again, straight away once it's back online.

I'm not saying anyone should be worried about this thing, but it should be taken for what it is, as those with one of the routers on the list, could unwillingly end up as part of a russian botnet.
noted.

I will be monitoring the SNB thread for this as there has been some useful information posted there.

www.snbforums.com/threads/trend-micro-cyclops-blink-sets-sights-on-asus-routers.77953/
Posted on Reply
#18
TheLostSwede
Makavelinoted.

I will be monitoring the SNB thread for this as there has been some useful information posted there.

www.snbforums.com/threads/trend-micro-cyclops-blink-sets-sights-on-asus-routers.77953/
Yeah, I linked to that thread in the article.

But as you don't have one of the affected models so far, I wouldn't be overly concerned.
That said, Trend Micro seem to suggest they're expecting this worm to spread to other brands as well, so we should all pay attention to the developments.
Posted on Reply
#19
micropage7
sometimes i just wonder, will they release any update for their EOL router? many just left it when the products reach its EOL
Posted on Reply
#20
TheLostSwede
micropage7sometimes i just wonder, will they release any update for their EOL router? many just left it when the products reach its EOL
Apparently the official word is no updates for those models.
DD-WRT or OpenWRT might be an option for some of those models.
Posted on Reply
#21
mechtech
Only Asus or all wrt firmware??
Posted on Reply
#22
zlobby
micropage7sometimes i just wonder, will they release any update for their EOL router? many just left it when the products reach its EOL
Do you understand what 'EOL' means and implies?

Very rarely manufacturers introduce some hotfix for a major issue in their EOL products, and only because said products are very popular and still in active use among huge user base.
Posted on Reply
#23
Bruno_O
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
My AC68U is on fw 9.0.0.4.386_41994-g769f84f.... version 3 seems a bit old to be even mentioned o_O
Posted on Reply
#24
Makaveli
Bruno_O
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
My AC68U is on fw 9.0.0.4.386_41994-g769f84f.... version 3 seems a bit old to be even mentioned o_O
The most recent firmware for that router is

Posted on Reply
#25
Minus Infinity
Hmm I have two routers on the list. Better update today.

Thanks for the heads up.
Posted on Reply
Add your own comment
Jun 27th, 2022 05:21 EDT change timezone

New Forum Posts

Popular Reviews

Controversial News Posts