May 2, 2024 at 01:18AM
The new malware, Cuttlefish, targets small office and home office (SOHO) routers to secretly monitor network traffic and gather authentication data from web requests. It can also hijack DNS and HTTP connections, exfiltrate data, and act as a proxy or VPN. The cybersecurity firm warns that it poses a serious threat to cloud resources and ecosystems.
Summary of Meeting Notes:
– A new malware called Cuttlefish targets small office and home office (SOHO) routers, aiming to monitor traffic and gather authentication data from HTTP requests.
– The malware is modular and designed to steal authentication material from web requests on the local network. It can also perform DNS and HTTP hijacking.
– There are overlaps with another activity cluster called HiatusRAT, but no shared victimology has been observed.
– Cuttlefish has been active since at least July 27, 2023, predominantly infecting 600 unique IP addresses associated with two Turkish telecom providers.
– The initial access vector used to compromise networking equipment is unclear, followed by deploying a bash script to gather and exfiltrate host data to an actor-controlled domain.
– Cuttlefish payload is downloaded and executed from a dedicated server depending on the router architecture.
– The malware primarily targets authentication data associated with public cloud-based services and has the ability to act as a proxy and VPN to transmit captured data through the infiltrated router.
– Cuttlefish represents the latest evolution in passive eavesdropping malware for edge networking equipment.
Recommendations:
1. Advise users to update router firmware and change default credentials to prevent Cuttlefish infection.
2. Monitor network traffic for any signs of DNS or HTTP hijacking.
3. Educate users about the risks of passive eavesdropping malware and the importance of securing network devices.
If you have any questions or need further details, please let me know.