Cybersecurity researchers from Black Lotus Labs recently observed a new infection campaign, targeting both enterprise-level and small office/home routers (SOHO) with information-stealing malware.
According to the researchers, the unidentified threat actors are either abusing a zero-day vulnerability, or simply brute-forcing their way into routers, after which they plant a brand new malware variant.
This malware, called Cuttlefish, creates a proxy, or a VPN tunnel, through which it siphons sensitive data passing through the device, such as login credentials.
Connections to HiatusRAT
The malware also comes with different obfuscation techniques, successfully bypassing solutions designed to spot unusual sign-in attempts. It also works well around network segmentation, or endpoint monitoring.
There are many unknowns surrounding the campaign, Black Lotus Labs further explains, including the identity of the attackers, the number of infected endpoints, or the motive for the attack. So far, the majority of compromised devices are located in Turkey, with a few others apparently impacting satellite phone and data center services.
While the identity of the attackers is unknown, the researchers spotted a few similarities with a threat actor they track as HiatusRAT. They stressed that it’s impossible to conclusively connect the two at this time. HiatusRAT was seen in the past advancing Chinese state interests, although actual affiliation has not been confirmed.
Whoever the adversary is, and whatever their motives are, to protect your routers Black Lotus Labs says you should make sure your login credentials are not weak, and should update them regularly. Routers should be frequently restarted, their firmware updated, and remote access to the management interface blocked.
Furthermore, you should keep an eye on unusual logins from residential IP addresses, secure traffic with TLS/SSL, and inspect devices for rogue IPtables. You should implement certificate pinning when connecting to assets of high value, and just replace the device when it reaches end of life.