A newly identified threat, dubbed ‘Cuttlefish’, is now targeting both enterprise-level and small office/home office (SOHO) routers. This malware is designed to monitor network traffic and steal authentication details such as usernames and passwords.
Researchers at Lumen Technologies’ Black Lotus Labs have studied Cuttlefish and report that Cuttlefish sets up a proxy or VPN tunnel on the infected routers, allowing it to stealthily exfiltrate data while circumventing security measures that flag suspicious logins.
Moreover, Cuttlefish is capable of HTTP and DNS hijacking within private networks. This not only disrupts internal communications but may also pave the way for additional malicious payloads to be delivered to the compromised system.
How Cuttlefish Gains Access
The precise methods used for initial infection remain unclear, but they likely involve exploiting existing vulnerabilities or brute-forcing weak passwords. Once inside a router, Cuttlefish deploys a bash script named “s.sh”, which begins gathering essential information such as directory listings, ongoing processes, and network connections.
The script then fetches and executes the main payload of Cuttlefish, termed “.timezone”. This component operates directly from memory to avoid detection and deletes itself from the disk after execution, covering its tracks. Cuttlefish has been developed in several variants to support different router architectures including ARM, i386, and MIPS, among others.
Cuttlefish malware infection chain (Source: Black Lotus Labs)
Monitoring Network Traffic
Upon activation, the malware installs a packet filter to monitor all network activity. It specifically looks for sensitive information like usernames, passwords, and authentication tokens linked to major cloud services including AWS, Digital Ocean, and others.
Black Lotus Labs highlighted, “This caught our attention as many of these services would be used to store data otherwise found within the network,” indicating the severity of data compromise that Cuttlefish could cause.
When sufficient data is collected, it is sent to the attackers’ server using either a peer-to-peer VPN or a proxy setup, thus dodging conventional detection mechanisms.
For local traffic to private IPs, the malware redirects DNS queries to a server specified by the attackers and modifies HTTP traffic to reroute to malicious sites, leveraging HTTP 302 status codes.
“We suspect this capability enables Cuttlefish to hijack internal (a.k.a. “east-west”) traffic through the router, or site-to-site traffic where there is a VPN connection established between routers,” said the researchers.
How to Secure Networks Against Cuttlefish
Considering the stealth and complexity of the Cuttlefish malware, it poses a significant threat by enabling attackers to evade established network defenses and monitor cloud environments unnoticed for extended periods.
To counter this threat, Black Lotus Labs advises network administrators to eliminate weak passwords, keep an eye out for logins from unusual IP addresses, enforce encryption using TLS/SSL, examine network devices for unexpected configurations or files, and reboot systems regularly.
For remote connections to critical assets, the use of certificate pinning is recommended to avoid traffic interception. Also, users with SOHO routers should reboot devices routinely, update firmware regularly, change default passwords, limit remote access to administrative settings, and replace outdated equipment promptly.
Anas Hasan
May 2, 2024
2 weeks ago
