Last Updated on 21/03/2022 by Nidhi Khandelwal
Nearly a month after it was revealed that the malware used WatchGuard firewall appliances as a stepping stone to obtain remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink.
The botnet’s “primary objective is to develop an infrastructure for additional attacks on high-value targets,” according to Trend Micro, given that none of the infected hosts “belong to vital organisations, or those that have an obvious value on economic, political, or military espionage.”
Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices.
Sandworm (aka Voodoo Bear), a Russian state-sponsored actor linked to a number of high-profile intrusions, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games, has been linked to both VPNFilter and Cyclops Blink.
Cyclops Blink uses OpenSSL to encrypt connections with its command-and-control (C2) servers, as well as specialized modules that can read and write from the devices’ flash memory, allowing it to achieve persistence and endure factory resets.
A second reconnaissance module serves as a conduit for data exfiltration from the infected device to the C2 server, while a file download component retrieves arbitrary payloads through HTTPS.
The malware has been affecting WatchGuard devices and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts.