ASUS routers have been the target of a budding botnet known as Cyclops Blink, nearly a month after it was disclosed that the malware exploited WatchGuard firewall appliances as a stepping stone to obtain remote access to infiltrated networks. A new report by Trend Micro revealed that the botnet’s “main purpose is to build an infrastructure for further attacks on high-value targets,” given that none of the infected hosts be a part of critical organizations, or those with a clear interest in economic, political, or military espionage.
Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter. This malware has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. VPNFilter and Cyclops Blink have been linked to Sandworm, a Russian state-sponsored entity (aka Voodoo Bear). It has also been associated with many high-profile breaches, including the 2015 and 2016 attacks on the Ukrainian electrical system, the 2017 NotPetya attack, and the 2018 Winter Olympic Destroyer attack.
The complex modular botnet, written in C, affects various ASUS router types, with the firm acknowledging that it’s working on a fix to handle any potential exploitation. Cyclops Blink features specialized modules that can read and write from the devices’ flash memory, allowing it to achieve persistence and withstand factory resets in addition to employing OpenSSL to encrypt connections with its command-and-control (C2) servers. A second reconnaissance module acts as a conduit for exfiltrating data from the compromised device to the C2 server. At the same time, a file download component is responsible for receiving arbitrary payloads through HTTPS.
The malware has been affecting WatchGuard devices and ASUS routers in the United States, India, Italy, Canada, and Russia since June 2019. A law firm in Europe, a medium-sized corporation providing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of “eternal botnets.”
“Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do,” as per the researchers. “In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots.”