More than 600,000 router for small offices and home offices (in the sense of working from home, smart working) were put out of use and deactivated following a destructive cyber attack carried out by unidentified cyber actors, interrupting users’ access to the Internet.
How 600,000 routers in a large set of offices were attacked
The mysterious event, which occurred between October 25 and 27, 2023, affected a single Internet Service Provider (ISP) in the United States and was named Pumpkin Eclipse by the Black Lotus Labs team (not to be confused with the malware of the same name) by Lumen Technologies.
This attack specifically targeted three ISP-issued router models: ActionTec T3200, ActionTec T3260 and Sagemcom.
The word from Lumen’s IT security experts regarding the attacks on the routers of these offices
“The accident [dei router degli uffici] occurred in a 72-hour period between October 25 and October 27, rendered infected devices permanently unusable, and required a hardware replacement“, has declared the company in a technical report.
The blackout of routers in offices is quite significant: not only because it led to the sudden removal of 49% of all modems from the autonomous system number (ASN) of the affected ISP during the time period.
Although the name of the ISP was not disclosed, the tests indicate that it is Windstream, which suffered an outage around the same timecausing users they reported a “solid red light” on the affected modems.
That’s not all: cyber threats of more or less known types are involved
Now, months later, Lumen analysis has revealed a remote access trojan (RAT) called Chalubo, a very difficult to detect malware (basically a “stealthy” malware) first documented by Sophos in October 2018is responsible for the sabotage, with the adversary presumably choosing it in an attempt to complicate attribution efforts rather than use a custom toolkit.
“Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built features to perform DDoS attacks, and can execute any Lua script sent to the bot“the company said. “We suspect that the Lua functionality was likely employed by the malicious actor to recover the destructive payload.”
The methods that led to the internet blackout on the routers of various offices are not yet known
That said, the exact initial access method used to breach routers is currently unclearalthough there is speculation that it may have involved the abuse of weak credentials or the misuse of an exposed administrative interface.
After gaining a footholdthe infection chain proceeds to release shell scripts that pave the way for a loader ultimately designed to fetch and launch Chalubo from an external server; however the destructive Lua script module recovered by the trojan is unknown.
A notable aspect of the campaign is its targeting of a single ASN, as opposed to others that have typically targeted a specific router model or common vulnerability, raising the possibility that it was deliberately targeted, although the reasons behind it are not yet determined.
“The event was unprecedented due to the number of units affected: no attack that we can recall has required the replacement of more than 600,000 devices“Lumen said. “Furthermore, this type of attack has only happened once before, with AcidRain used as a precursor to an active military invasion.”
Brief consideration
Cyber attacks usually aim to steal the user’s personal data, or very important company data, this case is very unique: here it is a question of literally turning off the connection to offices that actually need it; which is something that has rarely happened in the history of cybersecurity.
#Offices #routers #cyber #attack
