Cyclops Blink Sets Sights on Asus Routers

Conclusion and security recommendations

Over the past few years, IoT attacks have been escalating globally and internet routers have been one of the primary targets. There are several reasons that these devices are favored by an attacker — the infrequency of patching, the lack of security software, and the limited visibility of defenders. Combined, these allow for the possibility of what we refer to as “eternal botnets.” Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. The underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable C&C servers for other bots. 

The NCSC report covered malware targeting a specific vendor, namely WatchGuard. Based on our previous analysis of VPNFilter, we assumed that there were more vendors being attacked by this group. The vendors that were targeted by VPNFilter were Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZDE. In the case of Cyclops Blink, we received samples targeting Asus routers that were not previously reported on. The Asus version of the Cyclops Blink malware that we have analyzed showed some differences compared to the WatchGuard versions that have been previously discussed. The samples that we have analyzed are compiled for ARM and are dynamically linked against uClibc. They also contain a module that specifically targets Asus routers. Asus is likely only one of the vendors that is currently being targeted by Cyclops Blink. We have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus. Looking into the malware and the infrastructure being used by Cyclops Blinks actors gives us some clues about the other vendors that might be affected and how widespread this malware is. By sharing this additional technical observation, we aim to help network defenders, as well as those likely to be targeted by APT groups (such as Sandworm), gain a more complete picture of the Cyclops Blink campaign. 

Based on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors. Moreover, the purpose of this botnet is still unclear: Whether it is intended to be used for distributed denial-of-service (DDoS) attacks, espionage, or proxy networks remains to be seen. But what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure. The APT group behind this malware has learned from its VPNFilter campaigns and continues to attack IoT devices such as routers. 

In the age of work-from-home (WFH) during the pandemic, it’s possible that espionage is part of the reason that IoT devices are still major targets for advanced attackers. The more routers are compromised, the more sources of powerful data collection — and avenues for further attacks — become available to attackers. Having a distributed infrastructure also makes it more difficult for cybersecurity teams to take down the whole attack. This is also why, after more than two years, there are still live VPNFilter hosts out there.  

Organizations can protect themselves from Cyclops Blink attacks by using strong passwords and re-examining their security measures. It is also important to ensure that only the services that absolutely need to be exposed to the internet are exposed. Access to these services should be limited, which can be achieved by configuring a virtual private network (VPN) that can access those services remotely. It’s also important to set reminders to check if devices such as routers, cameras, network-attached storage (NAS) devices, and other IoT devices have been patched or otherwise.  

If it is suspected that an organization’s devices have been infected with Cyclops Blink, it is best to get a new router. Performing a factory reset might blank out an organization’s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.

While the Cyclops Blink malware variant that we analyzed in this report is complicated in nature, one thing proves to be unmistakable when it comes to the Sandworm group that created it: Sandworm is a persistent and sophisticated group whose motives are clearly at odds with those that would be expected from groups that are primarily financially motivated. Sandworm’s previous high-profile victims and their attacks’ substantial impact on these organizations are particularly worrying — even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best.

The indicators of compromise (IOCs) can be found in this appendix.

Read More HERE