New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers

ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks.

According to a new report published by Trend Micro, the botnet’s “main purpose is to build an infrastructure for further attacks on high-value targets,” given that none of the infected hosts “belong to critical organizations, or those that have an evident value on economic, political, or military espionage.”

Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.

Both VPNFilter and Cyclops Blink have been attributed to a Russian state-sponsored actor tracked as Sandworm (aka Voodoo Bear), which has also been linked to a number of high-profile intrusions, including that of the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.

Written in the C language, the advanced modular botnet affects a number of ASUS router models, with the company acknowledging that it’s working on an update to address any potential exploitation –

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life)
  • RT-AC56U (end-of-life)

Cyclops Blink, besides using OpenSSL to encrypt communications with its command-and-control (C2) servers, also incorporates specialized modules that can read and write from the devices’ flash memory, granting it the ability to achieve persistence and survive factory resets.

A second reconnaissance module serves as a channel for exfiltrating information from the hacked device back to the C2 server, while a file download component takes charge of retrieving arbitrary payloads optionally via HTTPS.

Since June 2019, the malware is said to have impacted WatchGuard devices and Asus routers located in the U.S., India, Italy, Canada, and Russia. Some of the affected hosts belong to a law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the U.S.

With IoT devices and routers becoming a lucrative attack surface due to the infrequency of patching and the absence of security software, Trend Micro warned that this could lead to the formation of “eternal botnets.”

“Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do,” the researchers said.

“In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots.”

Tagi:

Podziel się postem :)

Najnowsze:

Sprzęt

Superkomputer Athena uruchomiony w AGH. Jest najszybszy w Polsce

W centrum danych i serwerowni AGH uruchomiono superkomputer Athena, który jest najszybszą tego typu maszyną w Polsce i jednocześnie 105. na świecie. Ma teoretyczną moc obliczeniową przekraczającą 7,7 petaflopów – innymi słowy wykonuje 7,7 biliarda operacji zmiennoprzecinkowych na sekundę. Ministerstwo Edukacji i Nauki przekazało na ten projekt prawie 12 mln złotych.

Linux

Linux Kernel 6.0 dostępny. Wśród nowości wsparcie dla Intel Arc i Raptor Lake

Linux 6.0 to najnowsza wersja kernela, nad którą pracowało wielu ludzi. Linus Torvalds ogłosił dostępność platformy i wiemy, że wprowadza ona liczne nowości. Wśród nich jest wsparcie dla Intel Arc Alchemist oraz procesorów Raptor Lake. Linux 6.0 wprowadza też zaktualizowane sterowniki dla układów graficznych AMD RDNA 3.

Mobilne

Google Pixel 7 i Google Pixel 7 Pro. Znamy już wszystkie szczegóły. Warto czekać!

Google to nie tylko największa firma technologiczna znana z zarządzania najpopularniejszą wyszukiwarką na świecie. Gigant z Mountain View to również producent smartfonów Pixel, a najnowsza wersja tego urządzenia doczeka się wkrótce oficjalnej premiery. W sieci już teraz znaleźć można informacje o Pixel 7 i jego bardziej rozbudowanej wersji znanej pod nazwą Pixel 7 Pro.

Dodaj komentarz

Twój adres e-mail nie zostanie opublikowany.