A new cybersecurity threat, named 'Cuttlefish', has been identified targeting enterprise-grade and small office/home office (SOHO) routers. The spotted malware is designed to monitor data traffic and steal authentication information, posing significant risks to network security.
What can you do to avoid this kind of threat?
Overview of Cuttlefish Malware
Discovered by Lumen Technologies' Black Lotus Labs, Cuttlefish is capable of creating a covert proxy or VPN tunnel on infected routers. This allows it to exfiltrate data discreetly, circumventing security protocols that typically flag unusual sign-ins. It also carries capabilities for DNS and HTTP hijacking, potentially leading to further malicious payloads being deployed within a network.
How Cuttlefish Infects Networks
While some aspects of Cuttlefish's code bear resemblance to HiatusRat, a malware linked to Chinese state interests, no direct connection has been established. Black Lotus Labs has tracked the malware's activity back to at least July 2023, with a concentrated campaign currently active primarily in Turkey.
According to Bleeping Computer, the exact method of router infection remains unclear, but it likely exploits known vulnerabilities or uses brute-force attacks on weak credentials.
Once installed, Cuttlefish deploys a bash script that collects and sends router data to the attacker, then downloads and executes the primary payload. This payload operates directly from memory to avoid detection, erasing any files that might be used for forensic analysis.
Monitoring Mechanism of Cuttlefish
Upon execution, Cuttlefish filters all router connections, actively searching for data that match predefined "credential markers." These include usernames, passwords, and tokens, particularly those associated with public cloud services like AWS, Digital Ocean, and others.
By capturing these credentials in transit, attackers could potentially access sensitive cloud-stored data without the usual logging or controls found in more traditional network environments.
"Capturing credentials in transit could allow the threat actors to copy data from cloud resources that do not have the same type of logging or controls in place as traditional network perimeters," Black Lotus Labs explained in a report.
Defensive Measures Against Cuttlefish: What You Need to do
For Enterprises:
Strengthen Credentials: Ensure that all network device credentials are robust and regularly updated.
Monitor Unusual Activity: Keep an eye out for odd login attempts, especially those from residential IP addresses.
Implement Secure Traffic Protocols: Use TLS/SSL to encrypt data in transit.
Regular Device Inspections: Check for unusual system files or configurations and routinely reboot devices to clear potential malware.
Use Advanced Authentication Methods: When accessing critical assets remotely, utilize techniques like certificate pinning to enhance security.
For Home Users:
Regular Updates and Reboots: Keep your router's firmware up to date and reboot it regularly to disrupt any potential malware.
Change Default Passwords: Replace default credentials with strong, unique passwords.
Disable Remote Management: Block remote access to the router's management interface to prevent external manipulation.
Device Replacement: Consider replacing routers as they reach their end-of-life phase to benefit from improved security features in newer models.
Without strong security, Cuttlefish can easily exploit the network devices without extra effort. It can effortlessly siphon sensitive data and evade security walls.
Experts recommend that both individual users and organizations adopt comprehensive security strategies to protect themselves against this threat.