Your Asus router may require an urgent update to protect against sticky botnet

Asus has issued a notice to owners of some of its routers asking them to download a recent firmware update to help protect against new malware targeting their products. Asus recommends that measures be taken immediately to prevent your network from being infected with the botnet malware known as Cyclops Blink, although it is investigating a more permanent fix.

In the security bulletin Asus website, the company outlines the best way for users to strengthen their defenses against Cyclops Blink. This includes: resetting the device to factory default settings, updating the device to the latest firmware version, changing the administrator password, and disabling Remote Management (should be disabled by default).

The affected Asus products are:

  • GT-AC5300 firmware at 3.0.0.4.386.xxxx
  • GT-AC2900 firmware at 3.0.0.4.386.xxxx
  • Firmware RT-AC5300 in 3.0.0.4.386.xxxx
  • RT-AC88U firmware at 3.0.0.4.386.xxxx
  • RT-AC3100 firmware at 3.0.0.4.386.xxxx
  • RT-AC86U firmware at 3.0.0.4.386.xxxx
  • Firmware RT-AC68U, AC68R, AC68W, AC68P under 3.0.0.4.386.xxxx
  • Firmware RT-AC66U_B1 in 3.0.0.4.386.xxxx
  • RT-AC3200 firmware at 3.0.0.4.386.xxxx
  • RT-AC2900 firmware at 3.0.0.4.386.xxxx
  • Firmware RT-AC1900P, RT-AC1900P under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)

The products mentioned as GT are seriously beefy gaming routers, and some of the RT’s are pretty beefy routers as well.

Cyclops Blink is an advanced and persistent modular botnet that is difficult to get rid of once it takes hold of your system. Trend Micro took a deep dive into malware and exactly how it operates, which I recommend you give it a go if you like that sort of thing – it’s fascinating to know your enemy. Essentially, though, it sets up a communication route between an infected device and the attacker’s servers, and is able to encrypt and send data to those servers as it sees fit.

In the case of the exact Asus variant of these malwares, it can actually access a device’s flash memory. This means that it will have virtually unrestricted access to a machine once infected. It also means that the malware can actually survive factory resets. Although, as Asus notes, updating a device should finally get rid of malware, but how often do most users update their entire routers?

The malware itself is modular in nature, so it is assumed that it can be modified by its creators to run on other brands of routers with relative ease.

The botnet is allegedly linked to advanced persistent threat (APT) groups Sandstorm or Voodoo Bear, says Trend Micro. These groups have quite a history: the Sandworm APT group has been linked to the VPNFilter botnet and attacks on the Ukrainian power grid, the French presidential campaign, and the Winter Olympics.

The FBI, CISA, the US Department of Justice and the UK’s National Cyber ​​Security Center all together warned about the threat from Cyclops Blink last month.

“The malicious cyber agent known as Sandworm or Voodoo Bear is using new malware, known as Cyclops Blink,” reads the joint statement (via The register). Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.”

That sounds like malware you don’t want to mess with. As always, updating your PC’s drivers to the latest version is the best form of defense in most cases – without disconnecting your entire PC from the Internet, of course. However, I believe that there are certainly many routers that have not seen a patch in their lifetime, which is why it is really important for users with these affected devices to heed this call.

Leave a Comment