Done, but supposedly Cyclops Blink can survive that. I think I'm tossing the Asus router as the easiest solution, it is EOL so won't get additional firmware updates and supposedly this survives a factory reset.
more from techspot --
Cyclops Blink is a Kremlin-linked malware that has existed since 2019. It is tied to the elite Sandworm hacking group. According to UK's National Cyber Security Centre...
"The new Asus module is built to access and replace a router's flash memory. The botnet reads 80 bytes from the flash memory, writes it to the main communication pipe, and then waits for a command with the data needed to replace the content. A second module gathers data from the infected device and sends it to the C2 server. A third module, "file download (0x0f)," downloads files from the internet using DNS over HTTPS (DoH)."
and from here
The malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002
) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.
The NCSC has published a malware analysis report on Cyclops Blink
which provides more detail about the malware.
Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001
). This achieves persistence when the device is rebooted and makes remediation harder.
Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008
). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001
), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.....................
Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware.
WatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.
The tooling and guidance from WatchGuard can be found at: Web Detector
Indicators of Compromise
- If your device is identified as infected with Cyclops Blink, you should assume that any passwords present on the device have been compromised and replace them (see NCSC password guidance for organizations.
- You should ensure that the management interface of network devices is not exposed to the internet.
Please refer to the accompanying Cyclops Blink malware analysis report
for indicators of compromise which may help detect this activity"
so.... I don't know much but definitely stressing over this.