Another new router malware is sniffing around for your login details
Cybersecurity researchers at Black Lotus Labs recently observed a new infection campaign, targeting both enterprise-level and small office/home routers (SOHO) with information-stealing malware.
According to the researchers, the unidentified threat actors either exploit a zero-day vulnerability or simply brute force their way into routers and install a brand new malware variant.
Called Cuttlefish, this malware creates a proxy, or VPN tunnel, through which sensitive data passing through the device, such as login credentials, is siphoned off.
Connections to HiatusRAT
The malware also comes with various obfuscation techniques, which successfully bypass solutions designed to detect unusual login attempts. It also works well around network segmentation or endpoint monitoring.
There are many unknowns surrounding the campaign, Black Lotus Labs further explains, including the identity of the attackers, the number of endpoints infected, or the motive for the attack. So far, the majority of the compromised devices are in Turkey, with a few others apparently affecting satellite phone and data center services.
Although the identity of the attackers is unknown, the researchers discovered some similarities to a threat actor they are tracking as HiatusRAT. They emphasized that it is currently impossible to definitively connect the two. In the past, HiatusRAT was seen as promoting Chinese state interests, although actual ties have not been confirmed.
Whoever the adversary is, and whatever their motives, to protect your routers, Black Lotus Labs says you should make sure your credentials aren’t weak and update them regularly. Routers should be rebooted regularly, their firmware updated, and external access to the management interface blocked.
Additionally, you should monitor unusual logins from residential IP addresses, secure traffic with TLS/SSL, and inspect devices for fraudulent IP tables. You should implement certificate pinning when connecting to high-value assets, and simply replace the device when it reaches end of life.