Malware hunters at Lumen’s Black Lotus Labs have set eyes on a new malware platform roaming around enterprise-grade and small office/home office (SOHO) routers capable of covertly harvesting public cloud authentication data from internet traffic.
The platform, tagged as Cuttlefish, is designed to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN) and researchers warn that the attackers have the capability to hijack DNS and HTTP connections to private IP spaces, which are typically associated with communications within an internal network.
According to documentation from Black Lotus Labs, there are code overlaps between Cuttlefish and HiatusRat, a Chinese hacking group previously seen targeting US military networks and organizations in Europe.
“[The] targeting aligns with the interest of the People’s Republic of China. While there is code overlap between these two malware families, we have not observed shared victimology. We assess that these activity clusters are operating concurrently,” Black Lotus Lab said.
The research team said the Cuttlefish malware platform provides “a zero-click approach to capturing data from users and devices behind the targeted network’s edge.”
“Any data sent across network equipment infiltrated by this malware is potentially exposed. What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses,” the researchers warn.
“Cuttlefish lies in wait, passively sniffing packets, acting only when triggered by a predefined ruleset. The packet sniffer used by Cuttlefish was designed to acquire authentication material, with an emphasis on public cloud-based services.”
Black Lotus Labs researchers found that the threat actor exfiltrated data by creating a proxy or VPN tunnel back through a compromised router, then using stolen credentials to access targeted resources. “By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials,” the researchers said.
According to data tracked by Lumen Technologies, the malware has been active since at least July 2023 with the latest campaign running from October 2023, through April 2024.
The company found Cuttlefish infections at a pair of telecommunications providers in Turkey with a handful of non-Turkish victims associated with global satellite phone providers, and a potential US-based datacenter.
Black Lotus Labs believes Cuttlefish represents the latest adaptation in networking equipment-based malware, as it combines multiple attributes. “It has the ability to perform route manipulation, hijack connections, and employs passive sniffing capability. With the stolen key material, the actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem.”
The company released indicators of compromise data and notes that the malware uses libpcap to create an extended Berkeley Packet Filter (eBPF) for eavesdropping and hijacking IP ranges.
Cuttlefish is specifically programed to search for certain credential “markers” traversing the infected network that contain predefined strings like “username,” “password” or “access_token,” while others were much more targeted like “aws_secret_key” and “cloudflare_auth_key.”
Many of the specific markers were associated with cloud-based services like Alicloud, AWS, Digital Ocean, CloudFlare and BitBucket.
“Capturing credentials in transit could allow the threat actors to copy data from cloud resources that do not have the same type of logging or controls in place as traditional network perimeters,” the researchers warn..
Black Lotus Labs recommends that corporate network defenders hunt for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking.
Network admins should also inspect SOHO devices for abnormal files such as binaries located in the /tmp directory or rogue iptables entries and implement certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent threat actors from being able to hijack connections.
Related: US Military Targeted in Recent HiatusRAT Attack
Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet
Related: US Gov Disrupts Router Botnet Used by Chinese APT Volt Typhoon
Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet