Researchers have recently tracked a new malware, “Cuttlefish,” that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers, to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN).
Lumen Technologies’ Black Lotus Labs, who examined the malware, said that Cuttlefish creates either a proxy or VPN tunnel back through a compromised router to exfiltrate data by bypassing anomalous sign-in-based analytics and then uses stolen credentials to access targeted resources.
The malware also has the ability to perform HTTP and DNS hijacking for connections to private IP addresses, which are normally associated with communications within an internal network.
The researchers state that the Cuttlefish malware platform offers a zero-click approach to capturing data from users and devices behind the targeted network’s edge.
“Any data sent across network equipment infiltrated by this malware is potentially exposed. What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses,” the researchers warn in a blog post.
“Cuttlefish lies in wait, passively sniffing packets, acting only when triggered by a predefined ruleset. The packet sniffer used by Cuttlefish was designed to acquire authentication material, with an emphasis on public cloud-based services.”
According to Black Lotus Labs, the malware has been active since at least July 27, 2023, with code references indicating previous iterations. The latest campaign ran from October 2023 through April 2024.
“The infection pattern was unique as 99% of infections occurred within Turkey, mainly stemming from two telecommunications providers. These two telecom firms accounted for roughly 93% percent of infections – 600 unique IP addresses. The handful of non-Turkish victims included IP addresses of likely clients associated with global satellite phone providers, and a potential US-based datacenter,” the company added.
Black Lotus Labs believes Cuttlefish represents the latest adaptation in networking equipment-based malware, as it merges multiple attributes and has the ability to perform route manipulation, hijack connections, and employ passive sniffing capability.
The threat actor not only recovers cloud resources associated with the targeted entity with the stolen key material but also gains a foothold in that cloud ecosystem.
“These credential markers contain a list of predefined strings, some of which appeared to be generic like “username,” “password” or “access_token,” while others were much more targeted like “aws_secret_key” and “cloudflare_auth_key,” the researchers said.
Many of the specific markers were associated with cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket.
The researchers warn that “Capturing credentials in transit could allow the threat actors to copy data from cloud resources that do not have the same type of logging or controls in place as traditional network perimeters.”
Currently, the researchers are unable to determine the routers’ initial infection. Black Lotus Labs recommends that corporate network defenders look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses that bypass geofencing and ASN-based blocking.
Further, consumers with SOHO routers should regularly reboot them and install security updates and patches.
Additionally, organizations that manage SOHO routers should ensure their devices do not depend upon common default passwords.
