A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office internet routers offline, disrupting customers' internet access.
According to researchers at Lumen's Black Lotus Labs, who observed the incident, it disrupted internet access across numerous Midwest states between October 25 and October 27, 2023.
This left owners of the infected devices with no option but to replace the routers.
The incident had a focused impact, affecting a single internet service provider and three models of routers used by the firm: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380.
Black Lotus Labs says the particular ISP serves vulnerable communities in the United States and suffered a 49% reduction in operating modems due to the 'Pumpkin Eclipse' incident.
While Black Lotus did not name the ISP, it bears a striking resemblance to a Windstream outage that occurred during the same timeframe.
Starting on October 25, 2023, Windstream customers began reporting on Reddit that their routers were no longer working.
Subscribers impacted by the Windstream outage were told they needed to replace the routers with a new one to restore their internet access.
Fast forward seven months and a new report by Black Lotus may finally shed some light on the incident, explaining that a botnet was responsible for bricking 600,000 routers across the midwest states at a single ISP in October 2023.
The attacker can send commands to the bot through Lua scripts, which enable data exfiltration, downloading of additional modules, or introducing new payloads on the infected device.
Black Lotus Labs did not observe any DDoS attacks from the botnet.
The analysts note that Chalubo misses a persistence mechanism, so rebooting the infected router disrupts the bot's operation.
Black Lotus Labs says its telemetry data indicates that Chalubo operates 45 malware panels communicating over 650,000 unique IP addresses from October 3 to November 3, most based in the United States.
Only one of these panels was used for the destructive attack and it focused on a specific American ISP, causing Black Lotus researchers to believe that the attacker purchased the Chalubo panel for the specific purpose of deploying the destructive payload on routers.
The researchers could not find the payload used to brick the routers, so they were unable to determine how it was done or for what purpose.
Multiple botnets exploiting one-year-old TP-Link flaw to hack routers.
Police seize over 100 malware loader servers, arrest four cybercriminals.
TP-Link fixes critical RCE bug in popular C5400X gaming router.
Ebury botnet malware infected 400,000 Linux servers since 2009.
New Cuttlefish malware infects routers to monitor traffic for credentials.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 May 2024 20:40:08 +0000