May 1, 2024 at 09:27AM
Cuttlefish, a new malware, targets enterprise and SOHO routers, creating proxy/VPN tunnels to steal data and authentication information. It can perform DNS/HTTP hijacking, targeting services such as Alicloud, AWS, and BitBucket. Black Lotus Labs found its active campaign in Turkey and recommends strengthening security measures and monitoring for unusual logins. Regular router reboots and firmware updates are advised.
From the meeting notes, it is clear that the new malware “Cuttlefish” presents a serious threat to both enterprise-grade and small office/home office (SOHO) routers. The malware is designed to exfiltrate data discreetly, bypass security measures, and potentially introduce additional payloads. It can perform DNS and HTTP hijacking to interfere with internal communications and impacts a wide range of router architectures.
The infection chain involves exploiting known vulnerabilities or brute-forcing credentials, followed by deploying a bash script to collect data and executing the primary Cuttlefish payload. The malware monitors traffic, actively searching for specific data such as usernames, passwords, and tokens associated with public cloud-based services and then exfiltrates the data to the attacker’s command and control (C2) server.
To protect against Cuttlefish, it is recommended that network administrators eliminate weak credentials, monitor for unusual logins, secure traffic with TLS/SSL, inspect devices for abnormal files, and continually reboot them. SOHO router users should regularly reboot devices, apply the latest firmware updates, change default passwords, and block remote access to the management interface.
Additionally, when establishing remote connections to high-value assets, it is advisable to use certificate pinning to prevent hijacking. It is also important for SOHO router users to replace their devices when they reach end-of-life (EoL).