Lumen’s Black Lotus Labs has identified a new malware platform targeting enterprise-grade and small office/home office (SOHO) routers, capable of covertly harvesting public cloud authentication data from internet traffic. Dubbed Cuttlefish, the platform steals authentication material from web requests passing through the router from the adjacent local area network (LAN). Researchers warn that attackers can hijack DNS and HTTP connections to private IP spaces, typically associated with internal network communications. Cuttlefish exhibits code overlaps with HiatusRat, a malware used by a Chinese hacking group known for targeting US military networks and European organizations. While there are similarities in code, victimology appears to be separate. The malware operates passively, sniffing packets and acting only upon predefined rulesets. It is designed to acquire authentication material, focusing on public cloud-based services. Cuttlefish exfiltrates data by creating a proxy or VPN tunnel through compromised routers and using stolen credentials to access targeted resources. Active since at least July 2023, the latest campaign has been running from October 2023 through April 2024. Cuttlefish infections have been found at telecommunications providers in Turkey, with a few non-Turkish victims, including global satellite phone providers and potentially a US-based datacenter. Cuttlefish represents an advancement in networking equipment-based malware, combining route manipulation, connection hijacking, and passive sniffing capabilities. It specifically targets credential markers associated with cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket. Black Lotus Labs advises corporate network defenders to monitor weak credentials and suspicious login attempts, even from residential IP addresses, and to inspect SOHO devices for abnormal files or rogue iptables entries. Implementing certificate pinning for remote connections to high-value assets is also recommended to prevent connection hijacking.
Cyble Research and Intelligence Labs (CRIL) has discovered a new SideCopy campaign with a focus on South Asian countries, particularly targeting government, military, and academic ...
Genians, a South Korean cybersecurity company, has identified the Kimsuky hacking group as the perpetrator behind a new social engineering attack using fake Facebook accounts via M...
Check Point Researchers (CPR) have identified a troubling trend in PDF exploitation, particularly directed at users of Foxit Reader, despite Adobe Acrobat Reader's dominant mar...