More than 600,000 small office/home office (SOHO) routers are thought to have been bricked and brought offline after a catastrophic cyber assault orchestrated by unidentified cyber attackers, blocking users' access to the internet.
The mystery incident, which took place between October 25 and 27, 2023, and afflicted a single internet service provider (ISP) in the U.S., has been nicknamed Pumpkin Eclipse by the Lumen Technologies Black Lotus Labs team. It particularly impacted three router types supplied by the ISP: ActionTec T3200, ActionTec T3260, and Sagemcom.
"The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement," the business claimed in a technical report.
The blackout is notable, not least because it resulted to the rapid withdrawal of 49% of all modems from the afflicted ISP's autonomous system number (ASN) within the time-frame.
While the identity of the ISP was not published, evidence points to it being Windstream, which had an outage around the same time, prompting consumers to report a "steady red light" being flashed by the afflicted modems.
Now, months later, Lumen's analysis has revealed a commodity remote access trojan (RAT) called Chalubo – a stealthy malware first documented by Sophos in October 2018 – as responsible for the sabotage, with the adversary opting for it presumably in an effort to complicate attribution efforts rather than use a custom toolkit.
"Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot," the startup stated. "We suspect the Lua functionality was likely employed by the malicious actor to retrieve the destructive payload."
That noted, the specific first access technique used to breach the routers is presently unclear, however it's thought that it may have included the exploitation of weak credentials or exploited an unprotected administrative interface.
Upon acquiring a successful footing, the infection chain continues to drop shell scripts that prepare the way for a loader finally meant to fetch and start Chalubo from an external server. The damaging Lua script module downloaded by the virus is unknown.
A key component of the campaign is its targeting of a particular ASN, as opposed to others that have often targeted a specific router type or common weakness, increasing the idea that it was purposefully targeted, but the objectives behind it remain uncertain as yet.
"The event was unprecedented due to the number of units affected – no attack that we can recall has required the replacement of over 600,000 devices," Lumen stated. "In addition, this type of attack has only ever happened once before, with AcidRain used as a precursor to an active military invasion."
