Several models of ASUS routers are vulnerable to attacks by the Cyclops Blink malware. Cyclops Blink is malware associated with the Sandworm hacker group. Cyclops Blink provides attackers with persistence on the device by providing a remote access point to compromised networks.
Since Cyclops Blink is modular, criminals can easily update it to work with new devices by constantly changing the scope.
According to Trend Micro experts, the malware has a specialized module designed for several ASUS routers, which allows the malware to read flash memory to collect information about important files, executable files, data and libraries.
Then the malware receives a command to embed itself in the flash memory and establish persistence, since this information storage space is not erased even when reset to factory settings.
In the released bulletin, ASUS warned that the following router models and firmware versions are vulnerable to Cyclops Blink attacks: GT-AC5300 (220.127.116.11.386.xxxx), GT-AC2900 (18.104.22.168.386.xxxx), RT-AC5300 (22.214.171.124.386.xxxx), RT-AC88U (126.96.36.199.386.xxxx), RT-AC3100 (188.8.131.52.386.xxxx), RT-AC86U (184.108.40.206.386.xxxx), RT-AC68U, AC68R, AC68W and AC68P (220.127.116.11.386.xxxx), RT-AC66U_B1 (18.104.22.168.386.xxxx), RT-AC3200 (22.214.171.124.386.xxxx), RT-AC2900 (126.96.36.199.386.xxxx), RT- AC1900P and RT-AC1900P (188.8.131.52.386.xxxx), RT-AC87U (EOL), RT-AC66U (EOL), RT-AC56U (EOL).
Users of vulnerable devices are advised to reset the device to factory settings, upgrade to the latest available firmware version, make sure that the default administrator password has been changed to a more secure one, and disable remote management.