A Single Attack Disabled Half A Million Routers

Uploaded on 2024-06-01 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Hackers

In October 2023 unknown hackers attacked a US telecommunications company and  disabled hundreds of thousands of Internet routers, according to research now released by Lumen Technologies. More than 600,000 small office/home office (SOHO) routers are estimated to have been rendered useless and taken offline, following a destructive cyber attack which disrupted user access to the Internet.

This unexplained event whch took place between October 25 and 27, 2023, and impacted a single Internet service provider (ISP) in the US, has been codenamed Pumpkin Eclipse by the Lumen's Black Lotus Labs research team. 

This attack specifically affected three router models issued by the ISP: ActionTec T3200, ActionTec T3260, and Sagemcom. "The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement," says the Lumen report.

The blackout is significant, not least because it led to the abrupt removal of 49% of all modems from the impacted ISP's autonomous system number (ASN) during the time-frame.

While the name of the ISP is not disclosed, reports at the time suggested it was Windstream Communications, which suffered an outage around the same time, causing users to report a "steady red light" being displayed by the impacted modems.

Recently Lumen's analysis revealed a commodity remote access trojan (RAT) called Chalubo, a stealthy malware first detected by Sophos in October 2018, as responsible for the sabotage, with the adversary opting for it presumably in an effort to complicate attribution efforts rather than use a custom toolkit. "Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot," the company said. 

The exact initial access method used to breach the routers is currently unclear, although it is suggested  that it may have involved the abuse of weak credentials or exploited an exposed administrative interface. 

On gaining a successful foothold, the infection chain proceeds to drop shell scripts that pave the way for a loader ultimately designed to retrieve and launch Chalubo from an external server. The destructive Lua script module fetched by the trojan is unknown.

A notable aspect of the campaign is its targeting of a single ASN, as opposed to others that have typically targeted a specific router model or common vulnerability, raising the possibility that it was deliberately targeted, although the motivations behind it are undetermined as yet. "The event was unprecedented due to the number of units affected, no attack that we can recall has required the replacement of over 600,000 devices," Lumen said. 

Lumen   |    Reddit    |    Reuters    |   Hacker News   |   DSL Reports

Image: Unsplash

You Might Also Read: 

Cyber Security Regulations For Smart Devices:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Shiny Hunters Attack Santander Bank
Hamlet’s IP & AI »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

iboss Network Security

iboss Network Security

The iboss cloud is designed to deliver Network Security as a Service, in the cloud, using the best malware engines, threat feeds and log analytics engines.

Keyfactor

Keyfactor

Keyfactor is a leader in cloud-first PKI as-a-Service and crypto-agility solutions. Our Crypto-Agility Platform seamlessly orchestrates every key and certificate across the enterprise.

Beta Systems Software

Beta Systems Software

Beta Systems automate IT-based business processes, control access rights, monitor processes, secure the network and optimize the infrastructure management of corporate IT.

Metrarc

Metrarc

Metrarc has developed a ground-breaking technology called ICMetrics™ for deriving secure encryption keys from the properties of digital systems without the need to store any of the encryption keys.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

The Cyber AB

The Cyber AB

The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem.

Vumetric Cybersecurity

Vumetric Cybersecurity

Vumetric is an ISO9001 certified company offering penetration testing, IT security audits and specialized cybersecurity services.

Network Contagion Research Institute (NCRI)

Network Contagion Research Institute (NCRI)

NCRI provides pioneering technology, research, and analysis to identify and forecast cyber-social threats targeting individuals, organizations, and communities.

Sayers

Sayers

Sayers is best known for its ability to solve business challenges with IT solutions. Our areas of expertise include cloud, storage, virtualization, security, mobility and networking.

Bluerydge

Bluerydge

Bluerydge specialises in cyber security and technology, focusing on the delivery of innovative sovereign solutions through trusted, cleared and experienced professionals.

Bastion Security Group

Bastion Security Group

Bastion Security combines the skills, expertise and leadership from Quantum Security, ZX Security, Helix Security and Cassini.

Staris

Staris

Human based defense is dead. Staris is reinventing application security for an increasingly AI driven world.

Security Mind

Security Mind

Security Mind is an innovative Cyber Security Awareness program that aims to increase the awareness of each member of the organization and develop the ability to recognize potential cyber threats.

TorchLight

TorchLight

TorchLight designs and manages cybersecurity that moves at the speed of opportunity to defend against business risks and illuminate the path to security.

NeoGuardian

NeoGuardian

NeoGuardian offer robust solutions to protect your data and systems against cyber threats, with an innovative and fully business-focused approach.