New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers

ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks.

According to a new report published by Trend Micro, the botnet’s “main purpose is to build an infrastructure for further attacks on high-value targets,” given that none of the infected hosts “belong to critical organizations, or those that have an evident value on economic, political, or military espionage.”

Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.

Both VPNFilter and Cyclops Blink have been attributed to a Russian state-sponsored actor tracked as Sandworm (aka Voodoo Bear), which has also been linked to a number of high-profile intrusions, including that of the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.

Written in the C language, the advanced modular botnet affects a number of ASUS router models, with the company acknowledging that it’s working on an update to address any potential exploitation –

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life)
  • RT-AC56U (end-of-life)

Cyclops Blink, besides using OpenSSL to encrypt communications with its command-and-control (C2) servers, also incorporates specialized modules that can read and write from the devices’ flash memory, granting it the ability to achieve persistence and survive factory resets.

A second reconnaissance module serves as a channel for exfiltrating information from the hacked device back to the C2 server, while a file download component takes charge of retrieving arbitrary payloads optionally via HTTPS.

Since June 2019, the malware is said to have impacted WatchGuard devices and Asus routers located in the U.S., India, Italy, Canada, and Russia. Some of the affected hosts belong to a law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the U.S.

With IoT devices and routers becoming a lucrative attack surface due to the infrequency of patching and the absence of security software, Trend Micro warned that this could lead to the formation of “eternal botnets.”

“Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do,” the researchers said.

“In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots.”

Tagi:

Podziel się postem :)

Najnowsze:

Militaria

Wyrzutnie rakietowe HIMARS już w Ukrainie. Zobacz je w akcji!

Jak poinformował ukraiński rząd, pierwsze systemy artylerii rakietowej HIMARS są już w rękach ukraińskich żołnierzy. Broń trafiła tam w ramach pomocy wojskowej Stanów Zjednoczonych i w sieci pojawiło się już nagranie rzekomo prezentujące je w akcji.

Mobilne

Aplikacje, które pomogą uniknąć mandatu podczas wakacji. Poznaj je!

Zbliżające się wakacje wiążą się z wyjazdami, a wiele osób decyduje się na podróż własnym autem. Warto jednak mieć na uwadzę, że rok 2022 stoi pod znakiem podwyżek i dotyczy to również kar za przekroczenie prędkości na polskich drogach. O “mandatach grozy” z pewnością usłyszymy tego lata wielokrotnie, a dzięki tym aplikacjom kierowcy z wyprzedzeniem dostaną informację o najbliższych fotoradarach.

Oprogramowanie

W jakim stopniu przeglądarki są dziś zgodne ze standardem HTML?

Dyskusje na temat zgodności przeglądarek z HTML5 całkowicie ucichły. Wróciliśmy do sytuacji sprzed dwóch dekad, gdy rozpatrywano jedynie zgodność stron z przeglądarką, a nie standardem. Czyżby wszyscy byli już zgodni z HTML5?

Dodaj komentarz

Twój adres e-mail nie zostanie opublikowany.