'Cuttlefish' Zero-Click Malware Steals Private Cloud Data

The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.

Broadclub cuttlefish, Sepia latimanus, in Komodo, Indonesia
Source: David Fleetham via Alamy Stock Photo

A never-before-seen malware strain is targeting enterprise-grade and SOHO routers to steal authentication details and other data from behind the network edge. It also performs DNS and HTTP hijacking attacks on connections to private IP addresses.

The packet-sniffing malware — dubbed "Cuttlefish" by the Black Lotus Labs team at Lumen Technologies who discovered it —features a zero-click approach to capturing data from users and devices, according to a blog post published May 1.

"Any data sent across network equipment infiltrated by this malware is potentially exposed," according to Black Lotus Labs. Attackers designed the modular malware to be triggered by a specific rule set, in particular to acquire authentication data, with an emphasis on public cloud-based services, the researchers said.

"To exfiltrate data, the threat actor first creates either a proxy or VPN tunnel back through a compromised router, then uses stolen credentials to access targeted resources," according to the post. "By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials."

Cuttlefish also has a secondary function that gives it the capacity to perform both DNS and HTTP hijacking for connections to private IP space that's associated with communications on an internal network. It can also interact with other devices on the LAN and move material or introduce new agents.

Cuttlefish's Unique Malware Behavior

Cuttlefish's capability to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking "has seldom been observed;" however, campaigns such as ZuoRat, VPNFilter, Attor, and Plead exhibited similar behavior, according to Black Lotus Labs.

Unique to Cuttlefish, however, is its capability to zero in on private IP address connections for potential hijack, which is the first time the researchers have observed this capability and is likely for the purposes of anti-detection and persistence, they noted.

"We suspect that targeting these cloud services allows the attackers to gain access to many of the same materials hosted internally, without having to contend with security controls like EDR [extended detection and response] or network segmentation," according to the blog post.

The malware's combination of targeting networking equipment that's frequently unmonitored, as well as gaining access to cloud environments that often lack logging is intended to grant long-term persistent access to targeted ecosystems, the researchers noted.

Cuttlefish has been active since at least last July, with its latest campaign running from October through last month. The bulk of the infections occurred within Turkey via two telecommunications providers (a segment that's frequently targeted by cyberespionage malware), accounting for about 93% of infections, or 600 unique IP addresses.

There also have been "a handful" of non-Turkish victims, including IP addresses of clients likely associated with global satellite phone providers, and potentially a US-based data center, according to Black Lotus Labs.   

Researchers found links — specifically, code similarities and embedded build paths — to HiatusRat, thus they believe Cuttlefish also is aligned with the interests of China-based threat actors. However, so far Black Lotus Labs has not found shared victimology, surmising that the two malware clusters are operating concurrently.

Infection Process and Execution

While the researchers have not determined the initial infection vector, they did track the path of Cuttlefish once the targeted device was exploited, they said. The threat actor first deploys a bash script that gathers certain host-based data to send to the command-and-control server (C2). It also downloads and executes Cuttlefish in the form of a malicious binary compiled for all major architectures used by SOHO operating systems.

"This agent implements a multi-step process that begins with installing a packet filter for the inspection of all outbound connections and use of specific ports, protocols, and destination IP addresses," according to the post. "Cuttlefish constantly monitors all traffic through the device and only engages when it sees a particular set of activities."

The C2 sends updated and specified rules of engagement through a configuration file after it receives the host-based enumeration from the initial entry. The rule set directs the malware to hijack traffic destined to a private IP address; if heading to a public IP, it will initiate a sniffer function to steal credentials if certain parameters are met.

Defending Against Router Attacks

Aside from including a list of indicators of compromise (IoCs) in its post, the researchers also had separate advice for both corporate network defenders and those with SOHO routers to avoid and detect compromise by Cuttlefish.

Enterprise organizations should look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking. They also should encrypt network traffic with TLS/SSL to prevent sniffing when retrieving or sending data located remotely, such as when using cloud-based services or performing any type of authentication, the researchers advised.

Organizations that manage these types of routers should ensure that devices do not rely upon common default passwords, as well as that the management interfaces are properly secured and not accessible via the Internet. Inspection of SOHO devices for abnormal files such as binaries located in the /tmp directory or rogue iptables entries, as well as routinely power-cycling these devices to help remove malware samples in-memory can also help organizations avoid compromise. Enterprises also should implement certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent threat actors from being able to hijack connections.

Consumers with SOHO routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as retiring and replacing routers that reach their end of life and thus support from their respective vendors.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights