Menu
What's new
By:
Filters Better Search

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ASUS Product Security Advisory:

03/17/2022 Security Advisory for Cyclops Blink
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.

To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI(http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button”
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

Affected products

GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)

Please note that if you choose not to install this new firmware version then, to avoid any potential unwanted intrusion, we strongly recommend that you disable remote access from WAN and reset your router to its default settings.

If you have already installed the latest firmware version, please disregard this notice.

Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system:
https://www.asus.com/securityadvisory

For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292
Click to expand...
 
cptnoblivious said:
So it sounds like you need firmware at or above 3.0.0.4.386.xxxx

Or any of the 386 based Merlin versions?
Click to expand...
I’m guessing xxxx is a placeholder until they publish a new firmware.
 
cptnoblivious said:
I'm wondering about that because it says affected version are below .386.xxxx, so anything with .386.wxyz should be fixed.
Click to expand...
I’m assuming the worst that everything is vulnerable until the next Asus firmware release. But there isn’t any public information about the attack vector, AFAIK. Just broad recommendations to reset to defaults, flash latest firmware, and disable remote WAN access.

Asus’ own advisory states:
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.
Click to expand...
 
Last edited:
dave14305 said:
flash latest firmware,
Click to expand...
I would like to emphasize that. As the Trend Micro white paper mentioned, this malware does write directly to the flash. So, victims should REFLASH their current firmware even if there is no newer firmware available.
 
Moved to the Security forum because this is larger than only Asus routers.
 
RMerlin said:
I would like to emphasize that. As the Trend Micro white paper mentioned, this malware does write directly to the flash. So, victims should REFLASH their current firmware even if there is no newer firmware available.
Click to expand...
Like VPNFilter the question for most people is how do you even figure out you're a victim?
 
Paliv said:
Like VPNFilter the question for most people is how do you even figure out you're a victim?
Click to expand...
Trend Micro published a python script that can be used to test (however it requires you to have a Linux host to use it). It's in the appendix of their whitepaper, along with a list of known C&C IPs.

They also mention the presence of a process called [ktest].
 
RMerlin said:
Trend Micro published a python script that can be used to test (however it requires you to have a Linux host to use it). It's in the appendix of their whitepaper, along with a list of known C&C IPs.

They also mention the presence of a process called [ktest].
Click to expand...
I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.
 
dave14305 said:
I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.
Click to expand...
That would make sense. I had a quick glance at it, and found it a bit confusing.
 
dave14305 said:
I think the python script is only meant to determine if a remote IP is a C&C server for the malware, not if the router is infected.
Click to expand...
Indeed:
To validate a host suspected of being a Cyclops Blink C&C server, we wrote a script that would perform the TLS handshake, send a 4-byte packet, and wait for the 4-byte response from the server. The source code for the script is as follows:
Click to expand...
 
dave14305 said:
I’m assuming the worst that everything is vulnerable until the next Asus firmware release. But there isn’t any public information about the attack vector, AFAIK. Just broad recommendations to reset to defaults, flash latest firmware, and disable remote WAN access.

Asus’ own advisory states:
Click to expand...
Always good to assume the worst.

When reading the Asus advisory they state (towards the end) "If you have already installed the latest firmware version, please disregard this notice."

Would be great to get a confirmation of course :)
 
WRobertE said:
I read the advisory as saying 3.0.0.4.386.xxxx was vulnerable. @RMerlin ... can you clarify?
Click to expand...

The operative word is under ..... in other words, anything OLDER than 3.0.0.4.386.xxxx


firmware under 3.0.0.4.386.xxxx

^^^^^

Vulnerable ASUS devices​

In an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to Cyclops Blink attacks:

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)
 
You must log in or register to reply here.

Similar threads

B
Can a VPN from a desktop client hide activity from Trend Micro on ASUS routers
Replies
8
Views
5K
ColinTaylor
C
GK59
"Privacy issues with Trend Micro software in Asus routers"
Replies
2
Views
8K
AndreiV
A

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 778 (members: 33, guests: 745)
Top