Feared Sandworm gang attacks Westerners in their own backyards
More than a dozen Asus routers have been infected by malware that was initially discovered in WatchGuard’s Firebox small-business network-security equipment last month, according to Trend Micro. As far as we know, infected devices have been found in “the United States,” “Italy,” “Canada,” and “Russia.”
Even worse, according to Trend Micro, the problem may not be limited to Asus routers alone!
Researchers Feike Hacquebord, Stephen Hilt, and Fernando Merces found indications that other routers are also at risk, but they were unable to acquire Cyclops Blink malware samples for routers other than WatchGuard and Asus. According to the authors of Cyclops Blink, “This malware is modular in design, and it is quite probable that each vendor has distinct modules and architectures that were well-thought out by the perpetrators.”
Sandworm has struck again
Russian military intelligence is believed to be behind the development and management of Cyclops Blink, also known as CyclopsBlink by the Sandworm organisation. Attacks against Ukrainian power stations in 2014 brought the Sandworm (a Dune reference) gang into the public eye.
Another significant ransomware-worm assault in June 2017 that was likely orchestrated by the Sandworm gang was the so-called “Petya” (or “NotPetya”) worm wave. This attack began in Ukraine but swiftly spread over the globe. Sandworm is the subject of a whole book.
Although VPNFilter, a router-based botnet created by the Sandworm gang in the summer of 2018 targeting Asus, D-Link, Linksys, MikroTik, Netgear, and Ubiquiti routers, is the genuine precursor of Cyclops Blink. In routers that haven’t been updated with fresh firmware, VPNFilter remains.
According to Trend Micro’s experts, the Cyclops Blink hackers aren’t really after the Asus routers. They may instead be being prepped for use in bigger strikes linked to the current Russian-Ukrainian conflict.
According to the researchers, despite the fact that Cyclops Blink is a state-sponsored botnet, its servers and bots impact devices that do not belong to key organisations, or those that have a clear worth on economic, political, or military espionage.
The Cyclops Blink botnet might be used to create a foundation for future assaults on high-value targets, according to the researchers.
Cyclops Blink is a threat to ASUS routers.
Rebooting Cyclops Blink won’t wipe off the botnet’s spyware. Resetting your susceptible ASUS router to factory defaults and then updating the router’s firmware is the only method to fully protect your device.
The names and passwords of your home wifi networks should be recorded before you do a factory reset. After that, re-configure the router using the same network information so that all of your devices may re-establish a connection.
The following is a list of ASUS routers that have been found to be susceptible due to their use of vulnerable firmware.
In order to prevent against Cyclops Blink, the final three devices have been designated “end of life” (EOL). The greatest Wi-Fi routers are on our list, so if you have one of those three, now is the time to replace it.
- GT-AC5300 firmware under 184.108.40.206.386.xxxx
- GT-AC2900 firmware under 220.127.116.11.386.xxxx
- RT-AC5300 firmware under 18.104.22.168.386.xxxx
- RT-AC88U firmware under 22.214.171.124.386.xxxx
- RT-AC3100 firmware under 126.96.36.199.386.xxxx
- RT-AC86U firmware under 188.8.131.52.386.xxxx
- RT-AC68U, AC68R, AC68W, AC68P firmware under 184.108.40.206.386.xxxx
- RT-AC66U_B1 firmware under 220.127.116.11.386.xxxx
- RT-AC3200 firmware under 18.104.22.168.386.xxxx
- RT-AC2900 firmware under 22.214.171.124.386.xxxx
- RT-AC1900P, RT-AC1900P firmware under 126.96.36.199.386.xxxx
- RT-AC87U (EOL)
- RT-AC66U (EOL) (also affected by VPNFilter)
- RT-AC56U (EOL)
This message should be ignored if you’ve previously loaded the most recent firmware version, according to the ASUS security advice. Since Trend Micro discovered evidence that Cyclops Blink has been stealthily infecting devices “since at least June 2019,” a factory reset of your network isn’t necessary, although it is recommended.
We’ve added additional explanations to ASUS’ instructions:
- Set the router to factory defaults. Visit Administration > Restore/Save/Upload Setting, click “Initialize all settings and erase all data logs,” then click Restore in the online GUI (http://router.aus.com).
- Your router’s firmware should be updated. Here are the ASUS instructions for updating the firmware.
- In order to protect yourself from hackers, you should change the default administrator password. Your network password should not be your login credentials.
- “Remote Management” should be disabled in the router’s Advanced Settings. By default, it should be turned off.