A never-before-seen type of malware is targeting enterprise-grade and SOHO routers, stealing authentication details and other data from behind the network edge. It also performs DNS and HTTP hijacking attacks on connections to private IP addresses.
The packet-sniffing malware, named “Cuttlefish” by Lumen Technologies' Black Lotus Labs team, which discovered it, uses a zero-click approach to collecting data from users and devices, according to a blog post published on May 1. It is said to be a feature.
According to Black Lotus Labs, “any data sent through a network device compromised by this malware may be compromised.” Researchers say the attackers designed modular malware to be triggered by a specific set of rules, with a focus on public cloud-based services, specifically to obtain authentication data.
“To steal data, threat actors first create and traverse a proxy or VPN tunnel. compromised routerAccording to the post, “The attacker uses the stolen credentials to access the target's resources. By sending requests through the router, the attacker uses the stolen credentials to access the target's resources. We believe this may help avoid anomalous sign-in based analysis.”
The squid also has a secondary function that allows it to perform both functions. DNS and HTTP hijack For connections to private IP space associated with communications on internal networks. It can also interact with other devices on the LAN to move material or introduce new agents.
Cuttlefish’s unique malware behavior
Cuttlefish's ability to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking is “largely unobserved.”However, campaigns such as Zuorat, VPN filterAccording to Black Lotus Labs, Attor and Plead exhibited similar behavior.
However, a unique feature of Cuttlefish is its ability to target private IP address connections for potential hijacking, and this is the first time researchers have observed this feature, which helps prevent detection and persistence. The researchers point out that this is likely the purpose.
“We believe that by targeting these cloud services, attackers can access much of the same material hosted internally without having to contend with security controls such as EDR. [extended detection and response] or network segmentation,” the blog post states.
This malware combines targeting frequently unmonitored networking equipment with gaining access to often unlogged cloud environments to create long-term persistence in the target ecosystem. The researchers pointed out that the purpose is to allow access to
Links to Turkish carriers and HiatusRAT
Cuttlefish has been active since at least July of last year, with its most recent campaign running from October to last month. Most of the infections occurred within Turkey through two telecommunications providers (part of Telecommunications Providers). Often targeted by cyber espionage malware), accounting for approximately 93% of infections, or 600 unique IP addresses.
Black Lotus Labs said there were also a “small number” of non-Turkish victims, including customer IP addresses likely associated with a global satellite phone provider and a US-based data center. It is said that there is a possibility that
Researchers found links to the following, specifically code similarities and embedded build paths: Hiatus Slut, Therefore, they believe that Cuttlefish is also aligned with the interests of China-based attackers. However, so far, Black Lotus Labs has not found a common victim and suspects that the two malware clusters are operating at the same time.
Infection process and execution
Researchers have not determined the initial infection route, but said they tracked the squid's path after the targeted device was compromised. The attacker first deploys a bash script that collects specific host-based data and sends it to a command and control server (C2). He also downloads and runs Cuttlefish in the form of malicious binaries compiled for all major architectures used in SOHO operating systems.
According to the post, “This agent implements a multi-step process that begins with the installation of packet filters to inspect all outbound connections and the use of specific ports, protocols, and destination IP addresses.” It constantly monitors all traffic passing through the device and only takes action when it detects a specific set of activities.
After the C2 receives the host-based enumeration from the initial entry, it updates and sends the specified engagement rules through the configuration file. This rule set instructs the malware to hijack traffic destined for private IP addresses. When heading to a public IP, a credential-stealing sniffer function is initiated when certain parameters are met.
Defense against router attacks
In addition to including a list of indicators of compromise (IoCs) in their post, the researchers also provided tailored advice to both enterprise network defenders and network defenders. SOHO router To avoid and detect compromise by squid.
Enterprise organizations should look for attacks against weak credentials or suspicious login attempts, even attacks from residential IP addresses that bypass geofencing and ASN-based blocks. Additionally, network traffic should be encrypted with TLS/SSL to prevent eavesdropping when retrieving or transmitting data remotely, such as when using cloud-based services or performing any type of authentication. the researchers advise.
Organization to manage These types of routers You must ensure that devices do not rely on common default passwords and that management interfaces are adequately secured and not accessible over the Internet. Organizations can also inspect SOHO devices for anomalous files, such as binaries or malformed iptables entries in the /tmp directory, and periodically power cycle these devices to remove malware samples in memory. can help you avoid infringement. Enterprises should also implement certificate pinning when connecting remotely to high-value assets such as cloud assets to prevent connection hijacking by threat actors.
Consumers using SOHO routers should follow best practices for regularly rebooting their routers, installing security updates and patches, and retiring and replacing routers at the end of their useful life, as well as following their vendor's support. must be received.