Security News > 2024 > May > New SOHO router malware aims for cloud accounts, internal company resources

Cuttlefish, a new malware family that targets enterprise-grade small office/home office routers, is used by criminals to steal account credentials / secrets for AWS, CloudFlare, Docker, BitBucket, Alibaba Cloud and other cloud-based services.

"With the stolen key material, the actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem," Black Lotus Labs researchers noted.

"We suspect [the latter] capability enables Cuttlefish to hijack internal traffic through the router, or site-to-site traffic where there is a VPN connection established between routers. The additional function opens the door to secured resources that are not accessible via the public internet," they explained.

Shared indicators of compromise and advice for both corporate network defenses and consumers with SOHO routers.

"Internet routers remain a popular asset for threat actors to compromise since they often have reduced security monitoring, have less stringent password policies, are not updated frequently, and may use powerful operating systems that allows for installation of malware such as cryptocurrency miners, proxies, distributed denial of service, malicious scripts, and webservers," Trend Micro researchers recently pointed out.

"Internet-facing devices like SOHO routers are also a popular asset for criminal purposes and espionage. While some of the networks of compromised SOHO routers may look like a zoo that anybody can abuse, especially when default credentials remain valid, malicious actors can capitalize on this noisy environment for their own benefit and make use of them discreetly."

News URL

https://www.helpnetsecurity.com/2024/05/02/cuttlefish-soho-routers/