Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud Credentials. Show all posts

New Cuttlefish Malware Hijacks Router Connections, Cloud Data Stolen

 

In the ever-evolving landscape of cybersecurity threats, a new menace has emerged: Cuttlefish. This sophisticated malware targets enterprise-grade and small office/home office (SOHO) routers, posing a significant risk to both businesses and individual users alike. 

Discovered by Lumen Technologies' Black Lotus Labs, Cuttlefish operates by infecting routers and creating a proxy or VPN tunnel to stealthily exfiltrate data. By doing so, it bypasses security measures designed to detect unusual sign-ins, making it particularly insidious. One of the most concerning aspects of Cuttlefish is its ability to perform DNS and HTTP hijacking within private IP spaces. 

This interference with internal communications can disrupt organizational workflows and potentially introduce additional payloads, compounding the damage caused by the initial infection. While Cuttlefish shares some code similarities with HiatusRat, a malware previously associated with Chinese state interests, there is no definitive link between the two. Attribution remains challenging, further complicating efforts to combat this threat effectively. 

According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, primarily targeting users in Turkey. However, infections have been reported elsewhere, impacting services such as satellite phones and data centres. The exact method of initial infection remains unclear, but it likely involves exploiting known vulnerabilities or brute-forcing credentials. Once inside a router, Cuttlefish deploys a bash script to collect host-based data and download its primary payload. 

What sets Cuttlefish apart is its adaptability to various router architectures, making it a versatile threat capable of targeting a wide range of devices. Once executed, the malware monitors all connections passing through the router, searching for specific data such as usernames, passwords, and tokens associated with cloud services like AWS and Digital Ocean. Once this data is captured, Cuttlefish exfiltrates it to the attacker's command and control (C2) server using a peer-to-peer VPN or proxy tunnel.

Additionally, the malware can redirect DNS and HTTP requests to actor-controlled infrastructure, enabling further data interception and manipulation. Cuttlefish severely threatens organizations worldwide, allowing attackers to bypass traditional security measures and dwell undetected within cloud environments. Network administrators should take proactive steps to strengthen their defences to mitigate the risk posed by Cuttlefish and similar threats. 

This includes eliminating weak credentials, monitoring for unusual logins, securing traffic with TLS/SSL encryption, and inspecting devices for signs of compromise. Additionally, regular router reboots, firmware updates, and password changes are recommended for SOHO router users to prevent exploitation.  

Cuttlefish represents a significant escalation in cyber threats, underscoring the importance of robust cybersecurity practices and constant vigilance in today's digital landscape. Organizations can better protect themselves against emerging threats like Cuttlefish by staying informed and implementing proactive security measures.

Sophisticated Cloud Credential Theft Campaign Targets AWS, Expands to Azure and Google Cloud

 

A cybercriminal group behind a sophisticated cloud-credential stealing and cryptomining campaign has recently expanded its targets beyond Amazon Web Services (AWS) to include Microsoft Azure and Google Cloud Platform (GCP). 

Researchers from SentinelOne and Permiso have been tracking the campaign and have found significant similarities between the tools used in this campaign and those associated with the notorious threat actor known as TeamTNT, who is primarily driven by financial motives.

The campaign's broader targeting started in June and has been evolving with incremental refinements since December. The recent attacks on Azure and GCP cloud services involve the same core attack scripts used in the AWS campaign. 

However, according to Alex Delamotte, a threat researcher at SentinelOne, the capabilities for Azure and GCP are less developed compared to those for AWS.

TeamTNT is well-known for exploiting cloud misconfigurations and vulnerabilities to target exposed cloud services. Originally focused on cryptomining campaigns, the group has now expanded its activities to include data theft and backdoor deployment. 

Recently, the attackers have been targeting exposed Docker services using modified shell scripts capable of profiling systems, searching for credential files, and exfiltrating them. They also collect environment variable details to identify valuable services for potential future attacks.

The attacker's toolset works across different cloud service providers and does not show significant automation for Azure or GCP beyond credential harvesting, indicating that much of the activity may involve manual intervention.

In addition to the shell scripts used in earlier attacks, TeamTNT has started using a UPX-packed, Golang-based ELF binary that drops and executes another shell script for propagating to other vulnerable targets. 

This worming propagation mechanism specifically targets Docker instances with certain user-agent versions, which could be hosted on Azure or GCP.

The researchers from SentinelOne and Permiso believe that TeamTNT is currently testing its tools in Azure and GCP environments without pursuing specific objectives on impacted systems. However, organizations using Azure and GCP should remain vigilant, as similar attack frameworks to those used against AWS may be employed against their cloud environments.

Recently, Sysdig also updated a report linking the ScarletEel cloud credential stealing and cryptomining campaign to TeamTNT's activity, further emphasizing the threat posed by this group. To defend against such attacks, administrators are encouraged to collaborate with their red teams to understand the most effective attack frameworks for these cloud platforms.

"Pacu is a known red team favorite for attacking AWS," she says. "We can expect these actors will adopt other successful exploitation frameworks."