Trend Micro researchers reported that ,” The botnet’s objective is to develop an infrastructure for additional attacks on high-value targets, given that none of the infected hosts belong to vital organisations or those that have an obvious value on economic, political or military espionage.“
Nearly a month after it was revealed that the malware used WatchGuard firewall appliances as a stepping stone to obtain remote access to infiltrated networks. ASUS routers have been the target of a budding botnet known as Cyclops Blink.
Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices.
Sandworm, a Russian state-sponsored actor linked to a number of high-profile intrusions, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack and the 2018 Olympic Destroyer attack on the Winter Olympic Games has been linked to both VPNFilter and Cyclops Blink.
The complex modular botnet written in C with the company stating that it is working on a fix to handle any potential exploitation
- GT-AC5300 firmware under 184.108.40.206.386.xxxx
- GT-AC2900 firmware under 220.127.116.11.386.xxxx
- RT-AC5300 firmware under 18.104.22.168.386.xxxx
- RT-AC88U firmware under 22.214.171.124.386.xxxx
- RT-AC3100 firmware under 126.96.36.199.386.xxxx
- RT-AC86U firmware under 188.8.131.52.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 184.108.40.206.386.xxxx
- RT-AC66U_B1 firmware under 220.127.116.11.386.xxxx
- RT-AC3200 firmware under 18.104.22.168.386.xxxx
- RT-AC2900 firmware under 22.214.171.124.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 126.96.36.199.386.xxxx
- RT-AC87U (end-of-life)
- RT-AC66U (end-of-life)
- RT-AC56U (end-of-life)
Cyclops Blink features specialised modules that can read and write from the devices’ flash memory, allowing it to achieve persistence and withstand factory resets in addition to employing OpenSSL to encrypt connections with its command-and-control (C2) servers.
A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS.
The malware has been affecting WatchGuard devices and Asus routers in the US, India, Italy, Canada and Russia since June 2019. A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe and a plumbing company in the US are among the impacted hosts.
Finally the researchers concluded that ,” Once an IoT device has been infected with malware, an attacker can have uncontrolled internet access to download and deploy more stages of malware for spying, espionage, proxying, or anything else the attacker wants to do. In the case of Cyclops Blink, we’ve encountered devices that have been penetrated for more than 30 months (about two and a half years) and are being used as solid command-and-control servers for other bots.”