ASUS has issued new firmware for 14 routers, after being alerted to a Cyclops Blink variant tweaked to run on them.
The move came after Trend Micro alerted the vendor to the issue, having acquired and analysed the variant.
In response, ASUS said it is working on remediations and will continue posting software updates.
ASUS said users should do a factory reset on their devices, update the firmware, make sure they have a strong admin password, and make sure remote management is disabled (the default setting).
Attributed to the Russian-sponsored Sandworm group, Cyclops Blink has been in the wild since 2019, and was recently the subject of a joint US-UK advisory.
Trend said “its C&C servers and bots affect WatchGuard Firebox and ASUS devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage.
“Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”
Infected boxes use OpenSSL to encrypt their communication with command and control (C&C) servers.
“The data received from the C&C servers comprises either commands to the core component itself or to one of its modules”, Trend’s advisory stated.
The researchers, Trend’s Feike Hacquebord, Stephen Hilt and Fernando Merces, observed modules that:
- Read/write to the unit’s flash memory (which stores the operating system, configuration, and file system files);
- Read SSD information, including files containing passwords, user groups, mounts, partitions, and network interfaces; and
- Download files from the C&C servers.
Many infected systems become C&C servers for other bots, Trend said, adding that there are currently around 200 Cyclops Blink victims worldwide.
ASUS said the following devices are vulnerable:
- GT-AC5300 firmware under 220.127.116.11.386.xxxx
- GT-AC2900 firmware under 18.104.22.168.386.xxxx
- RT-AC5300 firmware under 22.214.171.124.386.xxxx
- RT-AC88U firmware under 126.96.36.199.386.xxxx
- RT-AC3100 firmware under 188.8.131.52.386.xxxx
- RT-AC86U firmware under 184.108.40.206.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 220.127.116.11.386.xxxx
- RT-AC66U_B1 firmware under 18.104.22.168.386.xxxx
- RT-AC3200 firmware under 22.214.171.124.386.xxxx
- RT-AC2900 firmware under 126.96.36.199.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 188.8.131.52.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL).