May 1, 2024 at 11:21AM
Lumen’s Black Lotus Labs have discovered a new malware platform named Cuttlefish, capable of harvesting public cloud authentication data from enterprise and SOHO routers. The platform, similar to HiatusRat, is believed to be linked to a Chinese hacking group targeting US and European organizations. Cuttlefish is specifically designed to capture credentials associated with cloud-based services, potentially enabling threat actors to access sensitive data. The malware has been active since July 2023, with the latest campaign running from October 2023 to April 2024. It was found at telecommunications providers in Turkey, with non-Turkish victims associated with global satellite phone providers and a potential US-based datacenter. Cuttlefish can perform route manipulation, hijack connections, and passively sniff packets. Black Lotus Labs advises network defenders to look for weak credentials and suspicious login attempts, and inspect SOHO devices for abnormalities.
Key takeaways from the meeting notes are as follows:
1. A new malware platform named Cuttlefish has been identified by Lumen’s Black Lotus Labs.
2. Cuttlefish is capable of covertly harvesting public cloud authentication data from internet traffic, particularly from enterprise-grade and small office/home office (SOHO) routers.
3. The platform is designed to steal authentication material found in web requests transiting the router from the adjacent local area network (LAN) and has the capability to hijack DNS and HTTP connections to private IP spaces.
4. There are code overlaps between Cuttlefish and HiatusRat, a malware associated with a Chinese hacking group, leading to the assessment that these activity clusters are operating concurrently.
5. Cuttlefish provides a zero-click approach to capturing data from users and devices behind the targeted network’s edge and lies in wait to passively sniff packets, acting only when triggered by a predefined ruleset.
6. The threat actors exfiltrate data by creating a proxy or VPN tunnel through a compromised router using stolen credentials to access targeted resources.
7. Cuttlefish has been active at least since July 2023 with the latest campaign running from October 2023 to April 2024.
8. Black Lotus Labs found Cuttlefish infections at telecommunications providers in Turkey and non-Turkish victims associated with global satellite phone providers and a potential US-based data center.
9. The malware uses libpcap to create an extended Berkeley Packet Filter (eBPF) for eavesdropping and hijacking IP ranges and is specifically programmed to search for certain credential markers associated with cloud-based services.
10. The researchers recommend that corporate network defenders hunt for attacks on weak credentials and suspicious login attempts, even when originating from residential IP addresses, and inspect SOHO devices for abnormal files and rogue iptables entries. They also suggest implementing certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent hijacking of connections.
These are the key points from the meeting notes about the Cuttlefish malware platform.