A newly discovered malware called 'Cuttlefish' targets enterprise-grade and SOHO routers to steal authentication details and data, performing DNS and HTTP hijacking attacks on private IP addresses; it uses a zero-click approach to capture data, focusing on public cloud-based services and evading sign-in analytics; the malware can create proxy or VPN tunnels through compromised routers and utilizes stolen credentials to access resources; 'Cuttlefish' has a unique capability to eavesdrop on edge networking equipment and perform DNS/HTTP hijacking, potentially for anti-detection and persistence, aiming to grant long-term access in targeted ecosystems; the malware mainly targets Turkish telcos, shows links to HiatusRat with code similarities and build paths, believed to align with China-based threat actors; the infection process involves using a bash script to gather data and deploying 'Cuttlefish' as a malicious binary to perform packet filtering, hijack traffic, and steal credentials destined for private IP addresses, while targeted devices are exploited through undisclosed initial infection vectors; the researchers suggest defense mechanisms against router attacks, with recommendations for corporate network defenders and SOHO router users to prevent and detect compromise by 'Cuttlefish'. ```
https://www.darkreading.com/cloud-security/cuttlefish-zero-click-malware-steals-private-cloud-data