Cuttlefish' Zero-Click Malware Steals Private Cloud Data
01-May-24
A never-before-seen malware strain is targeting enterprise-grade and SOHO routers to steal authentication details and other data from behind the network edge. It also performs DNS and HTTP hijacking attacks on connections to private IP addresses.
The packet-sniffing malware — dubbed “Cuttlefish” by the Black Lotus Labs team at Lumen Technologies who discovered it —features a zero-click approach to capturing data from users and devices, according to a blog post published May 1.
“Any data sent across network equipment infiltrated by this malware is potentially exposed,” according to Black Lotus Labs. Attackers designed the modular malware to be triggered by a specific rule set, in particular to acquire authentication data, with an emphasis on public cloud-based services, the researchers said.
Unique to Cuttlefish, however, is its capability to zero in on private IP address connections for potential hijack, which is the first time the researchers have observed this capability and is likely for the purposes of anti-detection and persistence, they noted.
“We suspect that targeting these cloud services allows the attackers to gain access to many of the same materials hosted internally, without having to contend with security controls like EDR [extended detection and response] or network segmentation,” according to the blog post.
The malware’s combination of targeting networking equipment that’s frequently unmonitored, as well as gaining access to cloud environments that often lack logging is intended to grant long-term persistent access to targeted ecosystems, the researchers noted.
