Cuttlefish Zero-Click Malware Steals Private Cloud Data

  /     /     /  
Publicated : 23/11/2024   Category : security


Cuttlefish Zero-Click Malware Steals Private Cloud Data


The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.



A never-before-seen malware strain is targeting enterprise-grade and SOHO routers to steal authentication details and other data from behind the network edge. It also performs DNS and HTTP hijacking attacks on connections to private IP addresses.
The packet-sniffing malware — dubbed Cuttlefish by the Black Lotus Labs team at Lumen Technologies who discovered it —features a zero-click approach to capturing data from users and devices, according to a blog post published May 1.
Any data sent across network equipment infiltrated by this malware is potentially exposed, according to Black Lotus Labs. Attackers designed the modular malware to be triggered by a specific rule set, in particular to acquire authentication data, with an emphasis on public cloud-based services, the researchers said.
To exfiltrate data, the threat actor first creates either a proxy or VPN tunnel back through a
compromised router
, then uses stolen credentials to access targeted resources, according to the post. By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials.
Cuttlefish also has a secondary function that gives it the capacity to perform both
DNS
and
HTTP hijacking
for connections to private IP space thats associated with communications on an internal network. It can also interact with other devices on the LAN and move material or introduce new agents.
Cuttlefishs capability to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking has seldom been observed; however, campaigns such as
ZuoRat
,
VPNFilter
, Attor, and Plead exhibited similar behavior, according to Black Lotus Labs.
Unique to Cuttlefish, however, is its capability to zero in on private IP address connections for potential hijack, which is the first time the researchers have observed this capability and is likely for the purposes of anti-detection and persistence, they noted.
We suspect that targeting these cloud services allows the attackers to gain access to many of the same materials hosted internally, without having to contend with security controls like EDR [extended detection and response] or network segmentation, according to the blog post.
The malwares combination of targeting networking equipment thats frequently unmonitored, as well as gaining access to cloud environments that often lack logging is intended to grant long-term persistent access to targeted ecosystems, the researchers noted.
Cuttlefish has been active since at least last July, with its latest campaign running from October through last month. The bulk of the infections occurred within Turkey via two telecommunications providers (a segment thats
frequently targeted by cyberespionage malware
), accounting for about 93% of infections, or 600 unique IP addresses.
There also have been a handful of non-Turkish victims, including IP addresses of clients likely associated with global satellite phone providers, and potentially a US-based data center, according to Black Lotus Labs.   
Researchers found links — specifically, code similarities and embedded build paths — to
HiatusRat,
thus they believe Cuttlefish also is aligned with the interests of China-based threat actors. However, so far Black Lotus Labs has not found shared victimology, surmising that the two malware clusters are operating concurrently.
While the researchers have not determined the initial infection vector, they did track the path of Cuttlefish once the targeted device was exploited, they said. The threat actor first deploys a bash script that gathers certain host-based data to send to the command-and-control server (C2). It also downloads and executes Cuttlefish in the form of a malicious binary compiled for all major architectures used by SOHO operating systems.
This agent implements a multi-step process that begins with installing a packet filter for the inspection of all outbound connections and use of specific ports, protocols, and destination IP addresses, according to the post. Cuttlefish constantly monitors all traffic through the device and only engages when it sees a particular set of activities.
The C2 sends updated and specified rules of engagement through a configuration file after it receives the host-based enumeration from the initial entry. The rule set directs the malware to hijack traffic destined to a private IP address; if heading to a public IP, it will initiate a sniffer function to steal credentials if certain parameters are met.
Aside from including a list of indicators of compromise (IoCs) in its post, the researchers also had separate advice for both corporate network defenders and those with
SOHO routers
to avoid and detect compromise by Cuttlefish.
Enterprise organizations should look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking. They also should encrypt network traffic with TLS/SSL to prevent sniffing when retrieving or sending data located remotely, such as when using cloud-based services or performing any type of authentication, the researchers advised.
Organizations that manage
these types of routers
should ensure that devices do not rely upon common default passwords, as well as that the management interfaces are properly secured and not accessible via the Internet. Inspection of SOHO devices for abnormal files such as binaries located in the /tmp directory or rogue iptables entries, as well as routinely power-cycling these devices to help remove malware samples in-memory can also help organizations avoid compromise. Enterprises also should implement certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent threat actors from being able to hijack connections.
Consumers with SOHO routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as retiring and replacing routers that reach their end of life and thus support from their respective vendors.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cuttlefish Zero-Click Malware Steals Private Cloud Data