- Apr 1, 2019
The only option available might be a return to factory settings for infected routers.
The Cyclops Blink botnet is now targeting Asus routers in a new wave of cyberattacks.
Cyclops Blink, a modular botnet, is suspected of being the creation of Sandworm/Voodoo Bear, a Russian advanced persistent threat (APT) group.
Several weeks ago, the UK National Cyber Security Centre (NCSC) and the United States' Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA and FBI, warned of the botnet's existence.
According to the agencies, the APT is supported by the Russian General Staff Main Intelligence Directorate (GRU) and has been linked to the use of BlackEnergy malware against Ukraine's electricity grid, Industroyer, NotPetya, and cyberattacks against Georgia.
"Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices," the agencies warned.
This week, cybersecurity researchers from Trend Micro said that while the malware is "state-sponsored", it does not appear to be inactive use against targets that would have Russia's state interests at heart.
The botnet is vast, and over 150 past and current command-and-control (C2) server addresses have been traced so far that they belong to the network.
"If it is suspected that an organization's devices have been infected with Cyclops Blink, it is best to get a new router," Trend Micro added. "Performing a factory reset might blank out an organization's configuration, but not the underlying operating system that the attackers have modified."
The affected product list is below:
- GT-AC5300 firmware under 126.96.36.199.386.xxxx
- GT-AC2900 firmware under 188.8.131.52.386.xxxx
- RT-AC5300 firmware under 184.108.40.206.386.xxxx
- RT-AC88U firmware under 220.127.116.11.386.xxxx
- RT-AC3100 firmware under 18.104.22.168.386.xxxx
- RT-AC86U firmware under 22.214.171.124.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 126.96.36.199.386.xxxx
- RT-AC66U_B1 firmware under 188.8.131.52.386.xxxx
- RT-AC3200 firmware under 184.108.40.206.386.xxxx
- RT-AC2900 firmware under 220.127.116.11.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 18.104.22.168.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL)