What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

New update out for the AC86U.

25/03/22 - 3.0.0.4.386.48260

 
Thanks for the info. The list of routers is unchanged. The only difference between this advisory and the previous one is;

a) Wording has been clarified from "firmware under 3.0.0.4.386.xxxx" to "firmware = 3.0.0.4.384.xxxx or earlier version"

b) RT-AC3200 has changed from "firmware under 3.0.0.4.386.xxxx" to "We advise users to reset the router and disable remote connection. New firmware will be released soon." No doubt because the most recent firmware available for that model is 382.52545.

So the RT-AC3200 advice is all that's really changed.

I'm glad they cleared up the wording on the affected versions
 
I have made a list of the ips to add to Skynet, I'm guessing if Skynet starts blocking such outbound ips then its safe to assume that the router is compromised , but as you said this most likelly keeps changing/adding new ips.
https://github.com/fariajose/skynet/blob/main/Cyclops-Blink-CC-servers.txt

Code:
firewall banmalware https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt
or
Code:
firewall import blacklist https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt "Cyclops"


Thanks, I have added this list to (my installation of) Adguard Home.
 
Thanks, I have added this list to (my installation of) Adguard Home.

AdGuard Home is a DNS based blocker. This is an IP address blocklist. Are you sure it's working with AdGuard Home?
 
You need to use it with Skynet (IP-blocker), not with AdGuard (DNS-blocker).
 
As this list of IP addresses comes from the Trend Micro document I think it's safe to assume that enabling AiProtection would have the same effect (and potentially be more up to date). I also suspect that Asus have employed "other protections" in the firmware that are active even without AiProtection being enabled.

Hey Colin,

this makes me think: is there a way to check the current lists used by AiProtection ?
 
I'd guess probably not, but then I don't use AiProtection so can't check that.
I se, thanks anyway. Sorry for the OT, my thinking about it is that I don't rely on it too much (or slightly a bit less if possible). But then I also wonder if it does any harm. Perhaps on performance ? (Though this month I upgraded to an AX88U just to overcome any performance limit, as much as I can at least).
Anyway, for a good measure, I've imported @faria's list into Skynet (thanks faria!)and tested it working as expected with a simple ping. It won't be enough, but it shouldn't harm either.
 
Another Asus Cyclops update on their security advisory page:

04/01/2022 Security Advisory update for Cyclops Blink
ASUS has released new firmware that included more security measures to block malware.
ASUS strongly recommends that users update the firmware to the latest version.
To check the latest version, please visit the relevant ASUS support website. Download links are in the below table.
If you have already installed the latest firmware version, please disregard this notice.
Should you have any question or concerns, please contact ASUS via our Security Advisory reporting system: https://www.asus.com/securityadvisory/
For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292
 
This is the FBI patching the malware remotely on ASUS routers. So, I guess if you have not upgraded your ASUS router then the FBI patched it for you if you had the malware. I am not sure how it works but the article seems to imply they did it.
 
This is the FBI patching the malware remotely on ASUS routers. So, I guess if you have not upgraded your ASUS router then the FBI patched it for you if you had the malware. I am not sure how it works but the article seems to imply they did it.
There's some better reporting here and here. Looks like they neutralised the network by taking down the C&C servers, but didn't touch the infected bot devices:
The operation did not, however, access the remote-control Cyclops Blink malware on thousands of individual devices worldwide.
Reading between the lines it seems like most the the C&C servers were WatchGuard devices.
 
Dear Sir,
Would you please give us a Asus rt-ac3200 cyclops blink fixed version (merlin firmware)?

I have 3 Asus rt-ac3200 routers with my brother and sister.

Thank you very much.

Best Regards, James.
 
Merlin no longer supports that model. You need to go back to ASUS official firmware which was updated for this issue.

It should be noted that not using the latest firmware will leave you vulnerable to any other exploits that are around. You need to change back to ASUS firmware or buy new routers.
 
Last edited:
More news on Cyclops Blink:

Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)
The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.

Feds take down Kremlin-backed Cyclops Blink botnet

National Cyber Security Centre: Cyclops Blink Malware Analysis Report (23 Feb 2022)
 
I don't get the idea that that FBI was patching our routers. However, the WatchGuard coordinated with the FBI to let them access their devices. None of the articles are very clear.
What about the ASUS routers that there are no more new updates for? How were they patched?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top