The manufacturer ASUS has released a security advisory because a malware known as Cyclops Blink linked to Russia is actively attacking its routers around the world. This malware is linked to a Russian-backed hacking group, and is targeting home and small/medium office devices to infect and gain full control over them. If you are infected by this new virus, even if you reset the router to factory settings, it will still be present. Do you want to know which routers are affected and how you can eliminate it?
What is this virus doing on my ASUS router?
This new malware infects some vulnerable ASUS router models, it is able to exploit a vulnerability to enter the router and install itself persistently. This means that if you reset the router, the router will go back to factory settings, but the Cyclops Blink malware will still be present, it will not be removed, so it is quite a big problem for the vast majority of users. This new virus is modular, so it can have multiple targets without any problem, and in recent days a new module has been detected that infects ASUS routers, according to TrendMicro.
We must remember that TrendMicro is the cybersecurity company in charge of providing security to ASUS routers with ASUS AiProtection and AiProtection Pro. This TrendMicro technology provides security to customers against Internet threats, including a powerful Intrusion Prevention System (IPS) bidirectional.
This malware allows reading the flash memory of the ASUS router to collect information about critical files, executables, data and libraries. Subsequently, the malware receives a command to install itself in this flash memory and establish permanent persistence, since this space is not erased with the typical factory RESET. Right now the spread of this malware is widespread, so it is very important that you properly protect your ASUS router. It is very likely that this malware will soon include a module to attack other home routers and small and medium-sized offices.
Affected ASUS router models
In the ASUS security advisory, they have detailed all router models that could be affected by this malware. Here are all the affected models:
- GT-AC5300
- GT-AC2900
- RT-AC5300
- RT-AC88U
- RT-AC3100
- RT-AC86U
- RT-AC68U, AC68R, AC68W, AC68P
- RT-AC66U_B1
- RT-AC3200
- RT-AC2900
- RT-AC1900P, RT-AC1900P
- RT-AC87U (EOL)
- RT-AC66U (EOL)
- RT-AC56U (EOL)
EOL models will not receive a firmware update, so you should replace the router as soon as possible to avoid being infected by this malware. However, it is possible that they will make an exception and in a few weeks they will release an emergency firmware to solve these problems.
As you can see, most of the manufacturer’s Wi-Fi 5 routers are affected by this malware, therefore, we recommend you to be vigilant about new firmware updates to mitigate this problem.
What can I do to protect my ASUS router?
If you have not been infected by this malware, what you should do is the following to prevent it from being:
- Update to the latest firmware version available, and be very aware of updates.
- Make sure the administration password is strong and not easy to guess.
- Disable remote management of the router, either through the web via HTTP/HTTPS or through SSH.
- Disable AiCloud 2.0 on the router.
If you have already been infected by this malware, then you should do the following:
- Re-flash the router with a firmware, either the current one or a new one, manually. By doing this, the part of the flash memory where the malware is should be overwritten. Although some sites indicate that it is mandatory to buy a new router due to persistence, this is not correct, flashing a new firmware should be enough.
- Update the router with the latest firmware version
- Take the security measures above about administration password, disable remote management of the router and AiCloud 2.0.
Once again it has been proven that enabling remote management of a device is not at all secure, so if you need to access your ASUS router, use the VPN servers of OpenVPN, IPsec or Instant Guard, because we have many options to choose from and not there is reason not to use these services.
We have spoken with ASUS and they have confirmed that they will release a firmware update for all affected models next week, preventing this malware from infecting us.
