A new cyber threat has emerged, identified as “Cuttlefish,” specifically targeting small office and home office (SOHO) routers. This sophisticated malware aims to covertly monitor all traffic traversing these devices while collecting authentication data from HTTP GET and POST requests. According to a recent report from the Black Lotus Labs team at Lumen Technologies, Cuttlefish employs a modular design primarily to extract sensitive authentication information from web requests within the local area network (LAN).
In addition to its data theft capabilities, Cuttlefish has a secondary function that enables it to hijack DNS and HTTP connections linked to private IP addresses for internal network communications. The findings suggest a connection to a previously recognized malware cluster, “HiatusRAT,” although there has been no documented overlap in targeted victims as of yet. This indicates that the two operations appear to be operating together but targeting different groups.
Cuttlefish is reported to have been active since at least July 27, 2023, with its most recent campaign spanning from October 2023 to April 2024. During this period, it has predominantly targeted 600 unique IP addresses associated with two Turkish telecom providers. However, the precise method of initial access remains unclear. Once access is secured, the malware utilizes a bash script to gather extensive host information, including contents from the /etc directory, running processes, active connections, and mounted drives, exfiltrating this data to a domain presumably controlled by the attackers.
After establishing a foothold, Cuttlefish proceeds to download and execute its payload, which varies depending on the architecture of the infected router. A critical characteristic of this malware is its passive network packet sniffing mechanism, which is specifically designed to identify authentication credentials linked to public cloud services such as AWS, Digital Ocean, CloudFlare, and Alicloud through the use of an extended Berkeley Packet Filter (eBPF).
The codified rules directing this functionality dictate that the malware can either hijack traffic aimed at private IP addresses or initiate sniffing for public IP traffic to acquire credentials when specific criteria are met. These hijacking rules are refreshed and retrieved from a dedicated command-and-control server upon establishing a secure connection utilizing an embedded RSA certificate.
Moreover, Cuttlefish is equipped to function as a proxy and VPN, facilitating the transmission of captured data through the compromised router. This capability enables threat actors to exploit the stolen credentials to access targeted resources undetected. The sophisticated nature of Cuttlefish highlights the evolution of eavesdropping malware aimed at edge networking equipment.
This incident illustrates the potential tactical layers involved, aligning with MITRE ATT&CK tactics such as initial access through exploitation of public-facing applications, persistence via installation of malware, and credential access through intercepting web traffic. With the complexity and stealth of Cuttlefish, cybersecurity experts are urging businesses to remain vigilant, particularly those relying heavily on SOHO architectures.
As organizations increasingly migrate to cloud-based solutions, the implications of such attacks can be profound, leading to unauthorized access to sensitive information, potential data breaches, and significant operational disruptions. Engaging with cybersecurity professionals to review and strengthen network defenses against such sophisticated threats is essential in safeguarding business integrity and client trust.
