ASUS routers are now the targets of a new botnet named Cyclops ,. This is almost one month after the revelation that the malware used WatchGuard firewall appliances to gain remote access into breached networks.
According to Trend Micro’s new report , the botnet has “main purpose to create an infrastructure for further attacks upon high-value targets,” provided that no of its infected hosts are “participants to critical organizations or have an obvious value on military, economic or political espionage.” “
Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.
Both VPNFilter and Cyclops Blink have been attributed to a Russian state-sponsored actor tracked as Sandworm (aka Voodoo Bear), which has also been linked to a number of high-profile intrusions, including that of the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.
Written in the C language, the advanced modular botnet affects a number of ASUS router models, with the company acknowledging that it’s working on an update to address any potential exploitation –
- GT-AC5300 firmware under 18.104.22.168. 386.xxxx
- GT-AC2900 firmware under 22.214.171.124. 386.xxxx
- RT-AC5300 firmware under 126.96.36.199. 386.xxxx
- RT-AC88U firmware under 188.8.131.52. 386.xxxx
- RT-AC3100 firmware under 184.108.40.206. 386.xxxx
- RT-AC86U firmware under 220.127.116.11. 386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 18.104.22.168. 386.xxxx
- RT-AC66U_B1 firmware under 22.214.171.124. 386.xxxx
- RT-AC3200 firmware under 126.96.36.199. 386.xxxx
- RT-AC2900 firmware under 188.8.131.52. 386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 184.108.40.206. 386.xxxx
- RT-AC87U (end-of-life)
- RT-AC66U (end-of-life)
- RT-AC56U (end-of-life)
Cyclops Blink, besides using OpenSSL to encrypt communications with its command-and-control (C2) servers, also incorporates specialized modules that can read and write from the devices’ flash memory, granting it the ability to achieve persistence and survive factory resets.
A second reconnaissance module serves as a channel for exfiltrating information from the hacked device back to the C2 server, while a file download component takes charge of retrieving arbitrary payloads optionally via HTTPS.
Since June 2019, the malware is said to have impacted WatchGuard devices and Asus routers located in the U.S., India, Italy, Canada, and Russia. A number of affected hosts include a European law firm, an entity with a moderate size that produces medical equipment in Southern Europe and a U.S plumbing company.
Trend Micro warns that IoT devices, routers and other attack surfaces have become a profitable target surface because of infrequent patching. “
“An attacker will have unlimited internet access to download and deploy more malware stages for reconnaissance, spying, proxying or any other purpose the attacker desires,” researchers stated.
“In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots. “