A malicious botnet bricked 600,000 office and home office (SOHO) routers in what seems to be a coordinated attack against a specific internet service provider (ISP).
Cybersecurity researchers from Lumen’s Black Lotus Labs recently released a report on a botnet they dubbed “Pumpkin Eclipse”.
In the report, the researchers said that a piece of commodity remote access trojan (RAT) called Chalubo compromised hundreds of thousands of SOHO routers, consisting of three specific models: ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380, all belonging to the same ISP. Chalubo pulled these routers into the botnet which, among other things, was capable of running distributed denial of service (DDoS) attacks.
Replacing the devices
Then, between October 25 and 27, 2023, the routers started dying. While Black Lotus did not name the ISP being attacked, BleepingComputer
“So I’ve had a T3200 modem for a while now, but today, something happened that I’ve never experienced before. The internet light is showing solid red. What does it mean, and how do I fix it?,” one out of many Redditors said at the time.
Soon after, Windstream reached out saying the users need to replace their devices with new ones.
What remains a mystery is how the routers got infected with Chalubo to begin with. Apparently, the researchers weren’t able to find the initial access point, so either the attackers found a zero-day vulnerability, or simply exploited routers with weak credentials. In any case, almost half (49%) of the ISP’s routers were forced out of use in mere days.
Ironically enough, Chalubo does not have a persistence mechanism, so all it took to disrupt the botnet was to physically restart the router (a simple power outage would have sufficed). However, if the credentials on the router were weak, the attackers could re-establish the connection. In conclusion, having a strong password on a router is a must.
More from TechRadar Pro
