New SOHO router malware aims for cloud accounts, internal company resources

Cuttlefish, a new malware family that targets enterprise-grade small office/home office (SOHO) routers, is used by criminals to steal account credentials / secrets for AWS, CloudFlare, Docker, BitBucket, Alibaba Cloud and other cloud-based services.

“With the stolen key material, the actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem, ” Black Lotus Labs researchers noted.

“To exfiltrate data, the threat actor first creates either a proxy or VPN tunnel back through a compromised router, then uses stolen credentials to access targeted resources. By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials.”

How Cuttlefish infects and users SOHO routers

The researchers don’t yet know how attackers wielding Cuttlefish gain access to target routers, but they know what they install a bash script that gathers data about the device and downloads and executes the malware, i.e., loads it into the devices’ memory (and deletes it form the file system).

The malware installs a packet filter that monitors the traffic passing through the device. It “sniffs” (steals) credentials sent to public IP addresses and hijacks traffic destined to private IP addresses.

Cuttlefish SOHO routers

Cuttlefish in action (Source: Lumen Technologies / Black Lotus Labs)

“We suspect [the latter] capability enables Cuttlefish to hijack internal (a.k.a. ‘east-west’) traffic through the router, or site-to-site traffic where there is a VPN connection established between routers. The additional function opens the door to secured resources that are not accessible via the public internet,” they explained.

“We suspect that targeting these cloud services allows the attackers to gain access to many of the same materials hosted internally, without having to contend with security controls like EDR or network segmentation. We assess the combination of targeting networking equipment (which is frequently unmonitored), to gaining access to cloud environments (which frequently do not have logging in place), is intended to grant long term persistent access to those targeted ecosystems.”

The malicious Cuttlefish binary is compiled for all major architectures used by SOHO operating systems: ARM, i386, i386_i686, i386_x64, mips32, and mips64.

The malware is also capable of interacting with other devices on the LAN, move material or introduce new agents, the researchers found.

Advice for SOHO router users

While there are some code and build path similarities between HiatusRAT and Cuttlefish, there is no definitive evidence that the same attackers are behind the two.

“Lumen’s global network telemetry surrounding the Cuttlefish campaigns was peculiar, in that approximately 99% of the connections to the confirmed C2 stemmed from Turkish-based IP addresses going back to early October 2023,” the researchers noted., and shared indicators of compromise and advice for both corporate network defenses and consumers with SOHO routers.

“Internet routers remain a popular asset for threat actors to compromise since they often have reduced security monitoring, have less stringent password policies, are not updated frequently, and may use powerful operating systems that allows for installation of malware such as cryptocurrency miners, proxies, distributed denial of service (DDoS malware), malicious scripts, and webservers,” Trend Micro researchers recently pointed out.

“Internet-facing devices like SOHO routers are also a popular asset for criminal purposes and espionage. While some of the networks of compromised SOHO routers may look like a zoo that anybody can abuse, especially when default credentials remain valid, malicious actors can capitalize on this noisy environment for their own benefit and make use of them discreetly.”



Don't miss