Cyclops Blink, the malware created by hackers linked to the Russian government is back in action. This time, a number of Asus router series are the target.
Cyclops Blink is malware that has been circulating since 2019, and this malware is linked to the elite Sandworm hacker syndicate, which is suspected to have links to the Russian government.
According to the UK's National Cyber Security Center (NCSC), the malware initially targeted WatchGuard Firebox devices, and was also linked to the NotPetya ransomware, which has caused billions of dollars in losses since spreading to many countries in June 2017, as well as the BlackEnergy malware behind the attack on power plants. Ukraine in 2015.
Security researchers at Trend Micro found that Cyclops Blink is now expanding its attacks, without specific targets such as specific country governments.
Cyclops Blink according to Trend Micro works as an advanced persistence threat on a device. Create a meeting point for remote access to the victim's network. Due to its modular design, this malware can be easily updated to attack new targets.
Now, the newest target is a number of Asus routers that still use AC WiFi networks. Cyclops Blink uses a specific TCP port to communicate with its C&C server.
For each port used, the malware creates a new rule in the Netfilter Linux kernel firewall, which is set to allow access to the server. Once the communication is established, the malware will create an OpenSSL library, and its main components will execute certain modules.
The malware will then activate certain parameters to this module, which will return the data that was encrypted using OpenSSL, and then send it to their C&C server.
According to Trend Micro, this malware is the successor to the VPNFilter malware that circulated in 2018. The malware is also designed to infect certain routers and network devices to steal data and turn it into a botnet for other purposes in the future.
The Cyclops Blink module that attacks Asus routers is made to access and replace data in the router's flash memory. From the flash memory there is a capacity of about 80 bytes which is accessed and rewritten, which is then added with a second module to steal data from infected devices and send it to the C&C server.
Then finally there is a third module that will download files from the internet using DNS over HTTPS (DoH).
The following are the affected Asus router series, complete with the firmware series:
GT-AC5300
GT-AC2900
RT-AC5300
RT-AC88U
RT-AC3100
RT-AC86U
RT-AC68U
AC68R
AC68W
AC68P
RT-AC66U_B1
RT-AC3200
RT-AC2900
RT-AC1900P
RT-AC1900P
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)
To date, Asus has not released a firmware update for the router. But they have released steps to mitigate the malware. Here are the steps:
Reset the device to factory settings. Go to the GUI web page - Administration - Restore/Save/Upload Settings - click Initialize all the settings and clear all the data log - click Restore.
Update to the latest available firmware
Make sure the default admin password has been replaced with a more secure one
Turn off Remote Management (it's turned off by default, it can only be turned on via Advanced Settings).
For devices that have been labeled EOL (end of life), Asus is hands off and will not provide firmware updates. The Taiwanese manufacturer recommends buying a new router for router users who are already EOL.