Discovered by Lumen Technologies' Black Lotus Labs, Cuttlefish operates by infecting routers and creating a proxy or VPN tunnel to stealthily exfiltrate data. By doing so, it bypasses security measures designed to detect unusual sign-ins, making it particularly insidious.
One of the most concerning aspects of Cuttlefish is its ability to perform DNS and HTTP hijacking within private IP spaces.
This interference with internal communications can disrupt organizational workflows and potentially introduce additional payloads, compounding the damage caused by the initial infection.
While Cuttlefish shares some code similarities with HiatusRat, a malware previously associated with Chinese state interests, there is no definitive link between the two. Attribution remains challenging, further complicating efforts to combat this threat effectively.
According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, primarily targeting users in Turkey. However, infections have been reported elsewhere, impacting services such as satellite phones and data centres.
The exact method of initial infection remains unclear, but it likely involves exploiting known vulnerabilities or brute-forcing credentials. Once inside a router, Cuttlefish deploys a bash script to collect host-based data and download its primary payload.
What sets Cuttlefish apart is its adaptability to various router architectures, making it a versatile threat capable of targeting a wide range of devices. Once executed, the malware monitors all connections passing through the router, searching for specific data such as usernames, passwords, and tokens associated with cloud services like AWS and Digital Ocean.
Once this data is captured, Cuttlefish exfiltrates it to the attacker's command and control (C2) server using a peer-to-peer VPN or proxy tunnel.
Additionally, the malware can redirect DNS and HTTP requests to actor-controlled infrastructure, enabling further data interception and manipulation.
Cuttlefish severely threatens organizations worldwide, allowing attackers to bypass traditional security measures and dwell undetected within cloud environments. Network administrators should take proactive steps to strengthen their defences to mitigate the risk posed by Cuttlefish and similar threats.
This includes eliminating weak credentials, monitoring for unusual logins, securing traffic with TLS/SSL encryption, and inspecting devices for signs of compromise. Additionally, regular router reboots, firmware updates, and password changes are recommended for SOHO router users to prevent exploitation.
Cuttlefish represents a significant escalation in cyber threats, underscoring the importance of robust cybersecurity practices and constant vigilance in today's digital landscape. Organizations can better protect themselves against emerging threats like Cuttlefish by staying informed and implementing proactive security measures.
