ASUS Routers Are Targeted By A New Variant Of The Russian Cyclops Blink Botnet.

Trend Micro researchers reported that ,” The botnet’s objective is to develop an infrastructure for additional attacks on high-value targets, given that none of the infected hosts belong to vital organisations or those that have an obvious value on economic, political or military espionage.

Nearly a month after it was revealed that the malware used WatchGuard firewall appliances as a stepping stone to obtain remote access to infiltrated networks. ASUS routers have been the target of a budding botnet known as Cyclops Blink.

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices.

Sandworm,  a Russian state-sponsored actor linked to a number of high-profile intrusions, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack and the 2018 Olympic Destroyer attack on the Winter Olympic Games  has been linked to both VPNFilter and Cyclops Blink.

The complex modular botnet written in C  with the company stating that it is working on a fix to handle any potential exploitation 

  • GT-AC5300 firmware under
  • GT-AC2900 firmware under
  • RT-AC5300 firmware under
  • RT-AC88U firmware under
  • RT-AC3100 firmware under
  • RT-AC86U firmware under
  • RT-AC68U, AC68R, AC68W, AC68P firmware under
  • RT-AC66U_B1 firmware under
  • RT-AC3200 firmware under
  • RT-AC2900 firmware under
  • RT-AC1900P, RT-AC1900P firmware under
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life)
  • RT-AC56U (end-of-life)

Cyclops Blink features specialised modules that can read and write from the devices’ flash memory, allowing it to achieve persistence and withstand factory resets in addition to employing OpenSSL to encrypt connections with its command-and-control (C2) servers.

A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS.

The malware has been affecting WatchGuard devices and Asus routers in the US, India, Italy, Canada and Russia since June 2019. A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe  and a plumbing company in the US are among the impacted hosts.

Finally the researchers concluded that ,” Once an IoT device has been infected with malware, an attacker can have uncontrolled internet access to download and deploy more stages of malware for spying, espionage, proxying, or anything else the attacker wants to do. In the case of Cyclops Blink, we’ve encountered devices that have been penetrated for more than 30 months (about two and a half years) and are being used as solid command-and-control servers for other bots.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s