Summary:
Lumen Technologies' Black Lotus Labs has uncovered a new malware dubbed ‘Cuttlefish’ that has been observed infecting enterprise-grade and small office/home office routers to monitor data passing through them and steal authentication information. The malware supports various router architectures with builds for ARM, i386, i386_i686, i386_x64, mips32, and mips64. Notable about Cuttlefish is its ability to create a proxy or VPN tunnel on compromised routers to discreetly exfiltrate data while bypassing security mechanisms. The malware is also capable of performing DNS and HTTP hijacking within private IP spaces, disrupting internal communications, and potentially introducing additional payloads. “For traffic destined to private IP addresses, DNS requests are redirected to a specified DNS server, and HTTP requests are manipulated to redirect traffic to actor-controlled infrastructure using HTTP 302 error codes” (Bleeping Computer, 2024).

Security Officer Comments:
The initial infection method for Cuttlefish is yet to be determined but may involve exploiting known vulnerabilities or brute-forcing into these routers. Once a router is compromised, a bash script is deployed designed to collect host-based data, including directory listings, running processes, and active connections. From here the script will proceed to download and execute Cuttlefish, which is loaded into memory to evade detection, while the downloaded file is wiped from the file system to prevent analysis from security professionals.

For its part, Cuttlefish once deployed, will monitor all connections through the device, passively sniffing data packets for ‘credential markers’. Researchers were able to extract a list of these credential markers. Notably, these markers contain a list of predefined strings like “username,” “password,” “access_token,” “aws_secret_key,” “cloudflare_auth_key,” etc., which are associated with cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket.

Suggested Corrections:
(Bleeping Computer) Black Lotus Labs suggests that corporate network admins eliminate weak credentials, monitor for unusual logins from residential IPs, secure traffic with TLS/SSL, inspect devices for rogue iptables or other abnormal files, and routinely reboot them. When establishing remote connections to high-value assets, it is advisable to use certificate pinning to prevent hijacking. For SOHO router users, it is recommended to reboot the devices regularly, apply the latest available firmware updates, change default passwords, block remote access to the management interface, and replace them when they reach end-of-life (EoL).

IOCs:
https://github.com/blacklotuslabs/IOCs/blob/main/Cuttlefish_IOCs.txt

Link(s):
https://www.bleepingcomputer.com/ne...s-routers-to-monitor-traffic-for-credentials/