Security Affairs reports that attacks with the novel Cuttlefish malware have been deployed against enterprise-grade small office/home office routers between October 2023 and April 2024 to facilitate the exfiltration of public cloud authentication information.
Most of the routers compromised by the intrusions were from Turkey but global satellite phone provider clients and a U.S.-based data center may have also been impacted, according to a report from Lumen Technologies' Black Lotus Labs.
Similar to the China-linked HiatusRAT malware, Cuttlefish not only allows HTTP and DNS takeover for private IP address connections but also interacts with other LAN-based devices to enable data transfers and additional agent deployment, the report revealed. Amazon Web Services, Cloudflare, BitBucket, and other public cloud-based services have also been primarily targeted by the malware.
"Cuttlefish represents the latest evolution in passive eavesdropping malware for edge networking equipment, allowing an actor to adapt and overcome the TLS configurations adopted by more modern enterprise," said researchers.
