Cuttlefish Malware is Putting Your Routers at Risk

bash script, brute force hacking, Cuttlefish, Data Breach, HiatusRAT, malware, Ophtek, router firmware update, zero-day vulnerabilities, , , , , , , ,
11
Jun 2024

A new strain of malware, dubbed Cuttlefish, which attempts to hijack your router has been discovered, and it poses a major threat to your data.

The experts at Black Lotus Labs recently discovered a number of routers had been compromised by a previously unseen malware. The security researchers named the malware Cuttlefish, and found it had compromised numerous enterprise-level and small office/home routers. The threat actors are not currently known, but the main impact of Cuttlefish is that it stealthily steals data once it has a foothold. Data breaches, of course, represent a major incident for businesses, so it’s crucial you keep your routers safe.

Decoding the Danger Behind Cuttlefish

The exact attack method behind Cuttlefish is unknown, but it’s been revealed there are similarities between its source code and that of the HiatusRAT malware. Black Lotus Labs believe Cuttlefish may launch its attack either through a zero-day vulnerability or by using good old fashioned brute force hacking methods.

Whatever the nature of its attack, which was first executed in July 2023, Cuttlefish hands control of the compromised router over to a set of threat actors. This is achieved by instructing an infected router to execute a Bash script – a text file containing a set of commands – which sends data to a remote Command & Control (C2) server. The first action taken by the C2 server is to send back the Cuttlefish malware, this is then installed on the compromised router.

From here, Cuttlefish can monitor all traffic passing through the router and any devices connected to it. Cleverly, Cuttlefish is designed to establish a VPN tunnel, which is then used to extract sensitive data, such as login credentials, from the router’s traffic. These attack methods mark Cuttlefish out as a highly stealthy and dangerous strain of malware, one with the ability to expose and misuse confidential data.

Fighting Back Against the Threat of Cuttlefish

As very little of the mechanics behind Cuttlefish are known, it’s difficult to pinpoint a single solution. For now, all the attacks have been focused on routers based in Turkey. But this can quickly change if threat actors behind Cuttlefish decide to start targeting global victims.

While there isn’t, for example, a simple security patch to install, you can still protect your organization’s routers by following these best security practices:

  • Always Install Updates: routers, like all hardware, rely on firmware updated and patches to maintain their security and maximize performance. But not everyone prioritizes installing these updates. And this approach can put your router at risk of being exploited by a vulnerability. Therefore, where possible, automate updates for your routers (and all devices) or manually install updates as soon as possible.
  • Regularly Change Your Router Credentials: it’s vital you regularly change the password associated with your router. Otherwise, you run the risk of allowing external threats to essentially live on your router. And as well as regularly changing your password, it’s important that you generate strong and unique passwords every time.
  • Monitor Network Traffic: unusual activity on your network, such as high-volume traffic to unknown destinations should always be scrutinized. Accordingly, you need to implement specialized software and hardware tools to analyze your network traffic and raise alerts when abnormal traffic patters are detected. This will maintain both the integrity and security of your network.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

InfectedSlurs Botnet Launches DDos Swarm 

DDoS swarm, factory reset, InfectedSlurs, Mirai, Ophtek, password change, update firmware, zero-day vulnerabilities, , , , , , ,
06
Feb 2024

Based upon the Mirai botnet, a new botnet has emerged onto the digital landscape in the form of InfectedSlurs, and it’s helping to fuel DDoS attacks.  

Once again, the cause of infection behind InfectedSlurs attack are a number of zero-day vulnerabilities. These vulnerabilities – now identified as CVE-2023-49897 and CVE-2023-47565 – allowed InfectedSlurs to compromise both a series of WiFi routers and a QNAP network video recorder. The potential for data loss here is huge, but InfectedSlurs also makes sure that it hijacks infected devices and integrates them into a huge DDoS swarm. 

The InfectedSlurs Attack 

It’s believed that the attack by InfectedSlurs involved vulnerabilities which should have been addressed by firmware updates released several years ago. However, many organizations appear to still be using legacy versions of the QNAP software. And this is what’s allowed them to be compromised. It’s also been revealed that InfectedSlurs has been running in the digital wild since late 2022, so it’s had close to a year to take advantage of legacy versions. 

A security patch was launched at the start of December 2023, to provide the strongest possible protection, and users were told to perform a factory reset alongside a password change. Users have also been advised to initiate a firmware update, found within the network video recorder settings, to ensure they have the latest and most secure version in place. Again, it’s been recommended that all passwords and access privileges are verified. 

However, for the older, legacy devices which are in their end-of-life phase, there will be no further firmware updates released. In these instances, users have no alternative but to replace their devices with the latest models, which will be fully patched against all known threats. 

How Can You Prevent These Attacks? 

There are two big takeaways from the InfectedSlurs attack: 

  1. Always install software updates as soon as possible 
  1. Replace legacy devices when they have reached their end-of-life phase 

Both these points are easy to implement, but the evidence of the InfectedSlurs attack proves this is not always undertaken by organizations. However, to protect the security of your IT infrastructure, it’s crucial that this is given priority. 

InfectedSlurs was also able to execute its attack for close to a year without being detected, so what else should you be looking out for? Well, the following signs may indicate that you have fallen victim to an attack: 

  • Slow performance: one of the telltale signs of being involved in a DDoS attack is a drop in performance from the infected PC. This is because all the processing power is diverted away from the PC’s day-to-day operations and dedicated to supporting the DDoS attack. Therefore, if your PCs are running slow, and you can’t pinpoint the cause to hardware issues, there’s a chance they may have become involved in a DDoS attack. 
     
  • Unusual server patterns: if your PCs have been integrated into a DDoS swarm, it’s likely this will result in abnormal spikes in traffic related to your server. This is because DDoS attacks usually involve high volumes of traffic from multiple sources at once. So, if your server logs indicate behavior such as this, it’s important you investigate immediately to identify if the cause is known. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More