The latest version of the Russian Cyclops Blink botnet targets ASUS routers, this was discovered almost a month after the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks.
Trend Micro in their report mentioned the main purpose of the botnet “is to build an infrastructure for further attacks on high-value targets.” With no infected hosts belonging to “critical organizations, or those that have an evident value on economic, political, or military espionage.”
Cyclops Blink botnet was looked at as a replacement framework for VPNFilter, by intelligence agencies from UK and USA. VPNFilter is yet another malware used to exploit network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.
Sandworm (aka Voodoo Bear), a Russian state-sponsored threat actor, has been credited with both VPNFilter and Cyclops Blink. The group has also been linked with a number of other high-profile intrusions. This includes the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.
The malware is coded using C language and has been taking down a number of ASUS router models. ASUS has acknowledged the vulnerability and is working on fixing any potential exploitation
Various ASUS router models vulnerable to the attack
- GT-AC5300 firmware under 188.8.131.52.386.xxxx
- GT-AC2900 firmware under 184.108.40.206.386.xxxx
- RT-AC5300 firmware under 220.127.116.11.386.xxxx
- RT-AC88U firmware under 18.104.22.168.386.xxxx
- RT-AC3100 firmware under 22.214.171.124.386.xxxx
- RT-AC86U firmware under 126.96.36.199.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 188.8.131.52.386.xxxx
- RT-AC66U_B1 firmware under 184.108.40.206.386.xxxx
- RT-AC3200 firmware under 220.127.116.11.386.xxxx
- RT-AC2900 firmware under 18.104.22.168.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 22.214.171.124.386.xxxx
- RT-AC87U (end-of-life)
- RT-AC66U (end-of-life)
- RT-AC56U (end-of-life)
Cyclops Blink also incorporates specialized modules that can read and write from the devices’ flash memory along with OpenSSL to encrypt communications with its command-and-control (C2) servers. This grants it the ability to achieve persistence and survive factory reset.
The exfiltrated information from the hacked device back to the C2 server is channelized using a second reconnaissance module, while the file download component takes control of retrieving arbitrary payloads optionally via HTTPS.
WatchGuard devices and Asus routers have been infiltrated by the malware since June 2019 in the U.S., India, Italy, Canada, and Russia. While some of the victims belong to a law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the U.S.
TrendMicro further explained, with the IoT devices and routers being lucrative targets since they are not frequently patched or missing security software, may be the reason for the formation of “eternal botnets.”
According to the researchers, “Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots.”
Lapsus$ Gang Climbing up the Success Ladder with More Victims
New Infinite Loop Bug in OpenSSL May Allow Attackers Crash Remote Servers
Russian Hackers Exploiting MFA and PrintNightmare Bug – Says FBI, CISA