Russian Cyclops Blink botnet launches assault against Asus routers
The Cyclops Blink botnet is now targeting Asus routers in a new wave of cyberattacks.
Cyclops Blink, a modular botnet, is suspected of being the creation of Sandworm/Voodoo Bear, a Russian advanced persistent threat (APT) group.
Several weeks ago, the UK National Cyber Security Centre (NCSC) and the United States’ Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA and FBI, warned of the botnet’s existence.
According to the agencies, the APT is supported by the Russian General Staff Main Intelligence Directorate (GRU) and has been linked to the use of BlackEnergy malware against Ukraine’s electricity grid, Industroyer, NotPetya, and cyberattacks against Georgia.
“Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices,” the agencies warned.
This week, cybersecurity researchers from Trend Micro said that while the malware is “state-sponsored”, it does not appear to be inactive use against targets that would have Russia’s state interests at heart.
The botnet is vast, and over 150 past and current command-and-control (C2) server addresses have been traced so far that they belong to the network.
However, WatchGuard Firebox and Asus devices compromised by the botnet “do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage” — an important point to note considering the current invasion of Ukraine by Russia’s military.
Also: Cloudflare debuts Friendly Bot validation service
While the botnet is busy enslaving generic, open, and exposed devices online, Trend Micro suspects that amassing nodes could then be used to “build an infrastructure for further attacks on high-value targets.”
First detected in 2019, Cyclops Blink is written in C and uses TCP to communicate with a C2 server. The malware makes use of OpenSSL encryption functions and will attempt to brute-force devices to obtain access.
The modular malware is able to read and write from a device’s flash memory, enabling persistence. Trend Micro also says that these functions may allow it to “survive factory resets.”
“Although it cannot be used as proof of attribution, the preceding code reminded us of a routine from the third-stage code of VPNFilter’s process called “dstr” that was intended to “brick” the infected device,” the researchers say.
Other modules gather device information and allow the botnet to download and execute additional files from the web.
“Asus is likely only one of the vendors that are currently being targeted by Cyclops Blink,” the researchers say. “We have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus.”
In a security advisory published on March 17, Asus said it was aware of Cyclops Blink and is “investigating.”
The vendor has urged customers to reset their devices to a factory default setting, to update their products to the latest firmware, and to change any default administrator credentials to stronger options. In addition, Asus recommends that the Remote Management function, disabled by default, remains so.
“If it is suspected that an organization’s devices have been infected with Cyclops Blink, it is best to get a new router,” Trend Micro added. “Performing a factory reset might blank out an organization’s configuration, but not the underlying operating system that the attackers have modified.”
The affected product list is below:
- GT-AC5300 firmware under 220.127.116.11.386.xxxx
- GT-AC2900 firmware under 18.104.22.168.386.xxxx
- RT-AC5300 firmware under 22.214.171.124.386.xxxx
- RT-AC88U firmware under 126.96.36.199.386.xxxx
- RT-AC3100 firmware under 188.8.131.52.386.xxxx
- RT-AC86U firmware under 184.108.40.206.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 220.127.116.11.386.xxxx
- RT-AC66U_B1 firmware under 18.104.22.168.386.xxxx
- RT-AC3200 firmware under 22.214.171.124.386.xxxx
- RT-AC2900 firmware under 126.96.36.199.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 188.8.131.52.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL)
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0