Russian Cyclops Blink botnet launches assault against Asus routers

The only option available might be a return to factory settings for infected routers.
Written by Charlie Osborne, Contributing Writer

The Cyclops Blink botnet is now targeting Asus routers in a new wave of cyberattacks. 

Cyclops Blink, a modular botnet, is suspected of being the creation of Sandworm/Voodoo Bear, a Russian advanced persistent threat (APT) group. 

Several weeks ago, the UK National Cyber Security Centre (NCSC) and the United States' Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA and FBI, warned of the botnet's existence.

According to the agencies, the APT is supported by the Russian General Staff Main Intelligence Directorate (GRU) and has been linked to the use of BlackEnergy malware against Ukraine's electricity grid, Industroyer, NotPetya, and cyberattacks against Georgia. 

"Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices," the agencies warned

This week, cybersecurity researchers from Trend Micro said that while the malware is "state-sponsored", it does not appear to be inactive use against targets that would have Russia's state interests at heart.

The botnet is vast, and over 150 past and current command-and-control (C2) server addresses have been traced so far that they belong to the network. 

However, WatchGuard Firebox and Asus devices compromised by the botnet "do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage" -- an important point to note considering the current invasion of Ukraine by Russia's military. 

Also: Cloudflare debuts Friendly Bot validation service

While the botnet is busy enslaving generic, open, and exposed devices online, Trend Micro suspects that amassing nodes could then be used to "build an infrastructure for further attacks on high-value targets."

First detected in 2019, Cyclops Blink is written in C and uses TCP to communicate with a C2 server. The malware makes use of OpenSSL encryption functions and will attempt to brute-force devices to obtain access.

The modular malware is able to read and write from a device's flash memory, enabling persistence. Trend Micro also says that these functions may allow it to "survive factory resets."

"Although it cannot be used as proof of attribution, the preceding code reminded us of a routine from the third-stage code of VPNFilter's process called "dstr" that was intended to "brick" the infected device," the researchers say. 

Other modules gather device information and allow the botnet to download and execute additional files from the web. 

"Asus is likely only one of the vendors that are currently being targeted by Cyclops Blink," the researchers say. "We have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus."

In a security advisory published on March 17, Asus said it was aware of Cyclops Blink and is "investigating." 

The vendor has urged customers to reset their devices to a factory default setting, to update their products to the latest firmware, and to change any default administrator credentials to stronger options. In addition, Asus recommends that the Remote Management function, disabled by default, remains so. 

"If it is suspected that an organization's devices have been infected with Cyclops Blink, it is best to get a new router," Trend Micro added. "Performing a factory reset might blank out an organization's configuration, but not the underlying operating system that the attackers have modified."

The affected product list is below:

  • GT-AC5300 firmware under
  • GT-AC2900 firmware under
  • RT-AC5300 firmware under
  • RT-AC88U firmware under
  • RT-AC3100 firmware under
  • RT-AC86U firmware under
  • RT-AC68U, AC68R, AC68W, AC68P firmware under
  • RT-AC66U_B1 firmware under
  • RT-AC3200 firmware under
  • RT-AC2900 firmware under
  • RT-AC1900P, RT-AC1900P firmware under
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards