Sunday, January 26, 2025
HomeCyber Security NewsRussia Based Cyclops Blink Malware Targeting ASUS Routers Models

Russia Based Cyclops Blink Malware Targeting ASUS Routers Models

Published on

SIEM as a Service

Follow Us on Google News

ASUS has recently published a security advisory containing mitigation measures for the Russian-linked Cyclops Blink threat that has affected various of its router models. 

Several researchers suspect that Cyclops Blink, a modular botnet, was created by Sandworm/Voodoo Bear, a Russian APT group. In order to accumulate information about high-value targets for further attacks, the botnet’s purpose is to build an infrastructure.

While apart from this, its modularity means its scope is constantly refreshed, and it can exploit a larger range of devices.

Cyclops Blink Targets ASUS Routers

The U.K. and the U.S. intelligence agencies identify Cyclops Blink as a successor to VPNFilter, another malware that targets network devices like:- 

  • Small office/home office (SOHO) routers
  • Network Attachment Storage Devices (NAS)

Several multiple ASUS routers are targeted by the threat actors by exploiting the Cyclops Blink, and this malware allows the threat actors to read the flash memory to collect data about:-

  • Critical files
  • Executables
  • Confidential data
  • Libraries

Not only that, even upon receiving a command, the malware is told to nest in the flash memory, which is immutable even after the factory resets.

Since this malware has its root links with the elite hacking group, Sandworm, so, it’s likely possible that in the future, they could target the other router manufacturers as well.

Affected ASUS Routers

Here below we have mentioned all the affected or vulnerable ASUS routers:-

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)

This malware creates a rule in Netfilter for all the hard-coded TCP ports that are used to communicate with the C&C servers. And under this rule, there are four parameters, and here they are mentioned below:-

  • Protocol: TCP
  • Chain: filter
  • Table: OUTPUT
  • Action: ACCEPT
  • Destination ports: 636, 994, and 995

However, when all these parameters are initialized, through pipes, they send all the essential information to the Cyclops’ modules, and they contain the following type of data:-

  • A “<p: ” string header.
  • The pipe of the core component.
  • All C&C IP addresses and ports.
  • Local IP address.
  • Interval for C&C server communication.
  • When the next packet to be sent to a C&C server is.
  • Main process PID.
  • A hard-coded ID.
  • Parameters are pushed to the modules, which are initialized at this point.

ASUS and WatchGuard devices have been infected with the malware since June 2019 in the following:-

  • U.S.
  • Canada
  • India
  • Italy
  • India
  • Russia

In Europe, hosts associated with a law firm, a mid-sized dental equipment manufacturer in Southern Europe, and a United States plumbing company were affected.

As a result of patches being infrequent and security software not being installed, the Internet of Things devices and routers are becoming lucrative targets for the threat actors. 

Due to these vulnerable factors, Trend Micro has warned that this could lead to the formation of “everlasting botnets.”

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...