Cyclops Blink Botnet Targets ASUS Routers and WatchGuard Devices

Cyclops Blink Botnet, which is associated with Russian state-backed Sandworm APT, has been found to target Asus Routers and WatchGuard Firebox devices with a new attack campaign. A statement on the Cyclops Botnet has recently been published in a joint effort by the UK National Cyber Security Center (NCSC), CISA, NSA, and FBI.

First spotted in 2019, the Cyclops Blink Botnet is written in C and uses the TCP protocol to communicate with the command and control (C2) server. The malware uses OpenSSL functions to encrypt the intercepted data and uses Brute Force techniques to access the targeted systems. In addition, Cyclops Blink includes modules responsible for ensuring persistence on the target system, downloading additional payloads, and transferring data to C&C servers. These modules are as follows;

Asus (0x38): This module enables devices to read/write from flash memory. Flash memory is used by devices to store the operating system, configuration, and all files in the file system. And since the flash memory content is persistent, this module is used to ensure persistence on the target system and disable the factory reset feature.

System Reconnaissance (0x08): This module is responsible for sending information from infected devices to the C&C server. Some information from an infected device is as follows; 

  • Current Linux version, 
  • Memory consumption information belongs to the device 
  • The content of the following files; 
    • /etc/passwd, 
    • /etc/group, 
    • /proc/mounts, 
    • /proc/partitions 
  • The information about the network interfaces. 

File Download (0x0f): This module is responsible for downloading additional files and payloads from the internet.

It is known that Cyclops Blink is targeting other security solution providers besides Asus and WatchGuard. Still, the relevant companies are not yet informed as sufficient malware samples have not been obtained yet. Regarding this issue, Asus made a statement stating that they were aware of the attacks in question and that investigations into the campaign were continuing. It is recommended to reset the devices used to factory default settings, apply the latest updates immediately, and change the default administrator credentials using powerful policies not to be the target of attacks that can be carried out using the malware. In addition, Asus recommends keeping the Remote Management function disabled, which is disabled by default.

Share This: