ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks.
According to a new report published by Trend Micro, the botnet's "main purpose is to build an infrastructure for further attacks on high-value targets," given that none of the infected hosts "belong to critical organizations, or those that have an evident value on economic, political, or military espionage."
Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.
Both VPNFilter and Cyclops Blink have been attributed to a Russian state-sponsored actor tracked as Sandworm (aka Voodoo Bear), which has also been linked to a number of high-profile intrusions, including that of the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.
Written in the C language, the advanced modular botnet affects a number of ASUS router models, with the company acknowledging that it's working on an update to address any potential exploitation –
- GT-AC5300 firmware under 126.96.36.199.386.xxxx
- GT-AC2900 firmware under 188.8.131.52.386.xxxx
- RT-AC5300 firmware under 184.108.40.206.386.xxxx
- RT-AC88U firmware under 220.127.116.11.386.xxxx
- RT-AC3100 firmware under 18.104.22.168.386.xxxx
- RT-AC86U firmware under 22.214.171.124.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 126.96.36.199.386.xxxx
- RT-AC66U_B1 firmware under 188.8.131.52.386.xxxx
- RT-AC3200 firmware under 184.108.40.206.386.xxxx
- RT-AC2900 firmware under 220.127.116.11.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 18.104.22.168.386.xxxx
- RT-AC87U (end-of-life)
- RT-AC66U (end-of-life), and
- RT-AC56U (end-of-life)
Cyclops Blink, besides using OpenSSL to encrypt communications with its command-and-control (C2) servers, also incorporates specialized modules that can read and write from the devices' flash memory, granting it the ability to achieve persistence and survive factory resets.
A second reconnaissance module serves as a channel for exfiltrating information from the hacked device back to the C2 server, while a file download component takes charge of retrieving arbitrary payloads optionally via HTTPS.
The exact mode of initial access is currently not known, but Cyclops Blink is said to have impacted WatchGuard devices and Asus routers located in the U.S., India, Italy, Canada, and Russia since June 2019. Some of the affected hosts belong to a law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the U.S.
With IoT devices and routers becoming a lucrative attack surface due to the infrequency of patching and the absence of security software, Trend Micro warned that this could lead to the formation of "eternal botnets."
"Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do," the researchers said.
"In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."