Executive Summary

Security researchers have uncovered 'Cuttlefish', a new and highly sophisticated malware strain specifically designed to infect and persist on enterprise-grade and SOHO routers. The malware functions as a passive and stealthy data thief. Once resident on a router, it monitors all traffic that passes through it, looking for authentication credentials and other sensitive information. Cuttlefish can create a private VPN on the compromised router for data exfiltration and can also hijack DNS and HTTP traffic to launch further attacks. Its ability to hide within a core network device and steal data without altering endpoint behavior makes it a particularly insidious threat.

Threat Overview

Cuttlefish represents a significant evolution in router-based malware. Unlike simpler malware that might just add a device to a botnet, Cuttlefish is a full-featured espionage platform. The attack likely begins by exploiting a known vulnerability in the router's firmware or by brute-forcing weak default credentials.

Once it has gained root access on the router, the malware installs itself and takes the following actions:

1. Establishes Persistence: It modifies the router's startup scripts to ensure it survives a reboot.
2. Monitors Traffic: It uses filtering rules to passively inspect all network traffic passing through the router.
3. Credential Theft: It specifically looks for authentication data within protocols like HTTP, FTP, SMTP, and others, exfiltrating usernames and passwords.
4. Creates a Covert Channel: It can set up its own VPN or proxy on the router, allowing the attacker to discreetly exfiltrate stolen data and issue commands.
5. Traffic Hijacking: The malware has modules that can perform DNS hijacking (redirecting users to malicious sites) and inject malicious code into HTTP traffic.

Technical Analysis

Cuttlefish is a modular malware framework. The core component is responsible for persistence and loading other modules. Key modules observed include:

• Packet Sniffer: A component that uses libpcap-like functionality to capture and analyze network packets in real-time.
• Rule Engine: A configurable engine that allows the attacker to specify what kind of data to look for (e.g., Authorization: Basic headers in HTTP, FTP USER/PASS commands).
• Exfiltration Module: A module that sends stolen data back to an attacker-controlled command-and-control (C2) server, often over a custom VPN tunnel to evade detection.

MITRE ATT&CK TTPs:

• T1189 - Drive-by Compromise or T1190 - Exploit Public-Facing Application: Likely initial access vectors targeting the router's web interface.
• T1040 - Network Sniffing: The primary data collection method.
• T1557 - Adversary-in-the-Middle: The DNS and HTTP hijacking capabilities fall under this tactic.
• T1071.004 - Application Layer Protocol: DNS: Used for C2 communication and DNS hijacking.
• T1567 - Exfiltration Over Web Service: Exfiltrating stolen credentials to the C2 server.

Impact Assessment

The impact of a Cuttlefish infection is severe and multifaceted:

• Widespread Credential Compromise: The malware can harvest credentials for a multitude of internal and external services, leading to follow-on account takeovers.
• Loss of Confidentiality: All unencrypted traffic passing through the router is subject to inspection and theft.
• Platform for Further Attacks: The DNS and HTTP hijacking capabilities allow attackers to serve malware to internal users or redirect them to phishing pages, bypassing other security controls.
• Difficult to Eradicate: Router malware can be notoriously difficult to detect and remove. A simple reboot may not be sufficient to clear the infection if persistence is established correctly.

Detection & Response

Detecting Cuttlefish is challenging as it resides on a network device, not an endpoint.

• Firmware Integrity Checks: Compare the hash of the router's current firmware and key system files against known-good versions from the manufacturer.
• Network Traffic Analysis: Monitor the router's own outbound traffic. Any unexpected connections, especially to unknown IP addresses or over non-standard ports, are highly suspicious. Look for DNS queries to unusual domains from the router itself.
• Configuration Audits: Regularly audit router configurations for unauthorized changes, such as new firewall rules, DNS forwarders, or VPN settings.
• Check for Unexpected Services: Scan the router for any unexpected open ports or services that are not part of the standard configuration.

Mitigation

1. Update Router Firmware: Keep router firmware up-to-date. This is the single most important step to protect against exploitation of known vulnerabilities.
2. Change Default Credentials: Immediately change the default administrator username and password on all routers and network devices. Use a long, complex, and unique password.
3. Disable Remote Management: Disable remote (WAN-side) administration of the router. Management should only be possible from the internal LAN.
4. Network Segmentation: Segmenting the network can help contain the impact, as the router would only be able to sniff traffic within its own segment.

• D3FEND Countermeasures: Implement D3-SU: Software Update for firmware. Enforce D3-SPP: Strong Password Policy for device administration. Use D3-OTF: Outbound Traffic Filtering on the router's own traffic to block C2 communication.