May 1, 2024 at 01:38PM
The newly discovered malware “Cuttlefish” targets routers to steal authentication details, perform DNS and HTTP hijacking, and potentially evade detection. It primarily infects enterprise-grade and SOHO routers, with a focus on public cloud-based services. The malware has been active since at least last July and has links to HiatusRat, revealing potential connections to China-based threat actors. The researchers offer advice for defending against router attacks, including monitoring for weak credentials and suspicious login attempts, encrypting network traffic, and regularly rebooting and updating routers.
From the meeting notes, we can conclude that a new malware strain called “Cuttlefish” has been discovered, targeting enterprise-grade and SOHO routers. The malware is designed to steal authentication details and perform DNS and HTTP hijacking attacks on connections to private IP addresses. It has a zero-click approach to capturing data and is triggered by a specific rule set to acquire authentication data, particularly from public cloud-based services.
The malware has a secondary function that allows it to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking for connections to private IP space. Notably, researchers have observed that Cuttlefish targets cloud services to evade security controls.
Furthermore, Cuttlefish has been active since at least last July, with a recent campaign running from October through last month. The bulk of the infections occurred within Turkey via two telecommunications providers, with a small number of non-Turkish victims. There are also links to HiatusRat, suggesting an alignment with the interests of China-based threat actors.
The infection process and execution involve a multi-step process that begins with installing a packet filter for the inspection of all outbound connections, followed by deploying a bash script that gathers certain host-based data and sends it to the command-and-control server. Then, Cuttlefish is downloaded and executed in the form of a malicious binary compiled for all major architectures used by SOHO operating systems.
To defend against router attacks, recommendations include looking for attacks on weak credentials and suspicious login attempts, encrypting network traffic with TLS/SSL, ensuring that devices do not rely upon common default passwords, inspecting SOHO devices for abnormal files, routinely power-cycling these devices, and implementing certificate pinning when remotely connecting to high-value assets.
Additionally, consumers with SOHO routers should follow best practices of regularly rebooting routers, installing security updates and patches, and retiring and replacing routers that reach their end of life.