This image has an empty alt attribute; its file name is Ncert-Advisory-Template-v2-2.jpg

ASUS has released a security advisory to provide information and mitigation for the Russian-linked advanced persistent threat (APT)) group Sandworm or Voodoo Bear malware dubbed as Cyclops Blink.

Based on a report by Trend Micro, they’ve acquired a variant of the Cyclops Blink targeting multiple ASUS routers that are believed to establish persistence to the affected device.

At the time of writing, ASUS is currently working on remediation and will continue to post software updates.

______________________________

A. Nature of Attack

The state-sponsored botnet, Cyclop Blink, is a modular malware written in the C language, which leverages the legitimate firmware update process, and maintains system access and persistence by injecting malicious code and installing repacked firmware images. In addition, the malware is deployed along with modules that are developed to download and execute additional files from a remote command and control (C2) server, collect and send general system information, and update the malware. The Asus module can also extract SSD storage information and information about network interfaces.

______________________________

B. Affected ASUS Routers

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL)
  • RT-AC56U (EOL)

______________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Follow the security mitigation provided by ASUS.
    • Reset the device to factory default: Login into the web GUI(http://router.asus.com), go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button”
    • Update all devices to the latest firmware.
    • Ensure the default admin password has been changed to a more secure one.
    • Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
  • Regularly check this page for the latest security updates for ASUS products
  • Review and apply the patch as soon as it’s available.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  •  In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information and complete list of IOCs, kindly refer to the official Advisory
    • https://www.asus.com/content/ASUS-Product-Security-Advisory/
    • https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers–.html
    • https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf