No password will escape the sophisticated digital cuttlefish.
A new type of malware, called "Cuttlefish", was discovered in routers in large enterprises and small offices. It monitors all information passing through infected devices and steals credentials.
Black Lotus Labs reports that Cuttlefish creates a proxy or VPN tunnel on the router for secret data transmission, bypassing detection systems that detect suspicious logins.
The malware intercepts DNS and HTTP requests inside private networks, disrupting internal communications and downloading additional malicious modules.
Despite the similarity of some of the Cuttlefish code to HiatusRat, which was used in campaigns that correspond to the interests of China,there was no direct connection between these programs.
Cuttlefish has been active since July 2023 and is leading the most active campaign in Turkey, as well as affecting satellite communications services and data centers in other regions.
The method of initial infection of routers has not yet been established, but it is likely that known vulnerabilities or the selection of credentials are being used. After gaining access to the router, a bash script starts collecting data from the host, including a list of directories, active processes, and connections.
The loaded script executes the main Cuttlefish load, which is loaded into memory to avoid detection, and the file is immediately deleted from the file system.
According to Black Lotus Labs, there are different versions of Cuttlefish: for ARM, i386 and other architectures. In general, this variety covers many types of routers.
The malware uses packet filters to monitor all connections and, after detecting certain data, performs actions according to predefined rules that are regularly updated from the management server.
Cuttlefish actively searches traffic for credential tokens, such as usernames, passwords, and tokens, especially those related to cloud services. The captured data is stored locally, and when a certain amount is reached, it is sent to attackers.
To protect against Cuttlefish, network administrators are advised to get rid of weak passwords, monitor unusual logins, use secure TLS / SSL protocols, check for suspicious files, and periodically reboot their devices.
In addition, it is not superfluous, especially for budget routers, to regularly check firmware updates, block remote access to the management interface, and promptly replace devices after the support period ends.
A new type of malware, called "Cuttlefish", was discovered in routers in large enterprises and small offices. It monitors all information passing through infected devices and steals credentials.
Black Lotus Labs reports that Cuttlefish creates a proxy or VPN tunnel on the router for secret data transmission, bypassing detection systems that detect suspicious logins.
The malware intercepts DNS and HTTP requests inside private networks, disrupting internal communications and downloading additional malicious modules.
Despite the similarity of some of the Cuttlefish code to HiatusRat, which was used in campaigns that correspond to the interests of China,there was no direct connection between these programs.
Cuttlefish has been active since July 2023 and is leading the most active campaign in Turkey, as well as affecting satellite communications services and data centers in other regions.
The method of initial infection of routers has not yet been established, but it is likely that known vulnerabilities or the selection of credentials are being used. After gaining access to the router, a bash script starts collecting data from the host, including a list of directories, active processes, and connections.
The loaded script executes the main Cuttlefish load, which is loaded into memory to avoid detection, and the file is immediately deleted from the file system.
According to Black Lotus Labs, there are different versions of Cuttlefish: for ARM, i386 and other architectures. In general, this variety covers many types of routers.
The malware uses packet filters to monitor all connections and, after detecting certain data, performs actions according to predefined rules that are regularly updated from the management server.
Cuttlefish actively searches traffic for credential tokens, such as usernames, passwords, and tokens, especially those related to cloud services. The captured data is stored locally, and when a certain amount is reached, it is sent to attackers.
To protect against Cuttlefish, network administrators are advised to get rid of weak passwords, monitor unusual logins, use secure TLS / SSL protocols, check for suspicious files, and periodically reboot their devices.
In addition, it is not superfluous, especially for budget routers, to regularly check firmware updates, block remote access to the management interface, and promptly replace devices after the support period ends.
