News: 1717114512

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Mystery miscreant remotely bricked 600,000 SOHO routers with malicious firmware update

(2024/05/31)


Unknown miscreants broke into more than 600,000 routers belonging to a single ISP late last year and deployed malware on the devices before totally disabling them, according to security researchers.

The cyber attack, which wasn't reported at the time, took place over a 72-hour period between October 25 and 27, 2023. It "rendered the infected devices permanently inoperable, and required a hardware-based replacement," according to US telco Lumen Technologies' Black Lotus Labs, which published [1]details about the destructive event on Thursday and named it "Pumpkin Eclipse."

It seems the mysterious intruders specifically targeted two different routers – ActionTec's T3200 and T3260 – but it's unclear how they gained access.

[2]

"When searching for exploits impacting these models in [vulnerability alerting platform] [3]OpenCVE for ActionTec , none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface," the Black Lotus researchers opined – without naming the impacted ISP.

[4]

[5]

It's been [6]speculated that Arkansas-based Windstream was the victim, but the ISP declined to comment when approached by The Register .

Black Lotus revealed the unknown attackers broke the 600,000-plus routers using Chalubo – a remote access trojan (RAT).

[7]

The malware has been around [8]since 2018 and has built-in features to encrypt communications with the command-and-control server, perform distributed-denial-of-service attacks, and execute Lua scripts on infected devices. Oddly, the criminals didn't use the DDoS functionality, we're told.

[9]FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet

[10]That home router botnet the Feds took down? Moscow's probably going to try again

[11]Euro cops disrupt malware droppers, seize thousands of domains

[12]Chinese national cuffed on charges of running 'likely the world's largest botnet ever'

"At this time, we do not have an overlap between this activity and any known nation-state activity clusters," the threat hunters wrote.

Specifically, there's no overlap with [13]China's Volt Typhoon , which also has an affinity for [14]infecting routers , or Russia's Sandworm, aka SeaShell Blizzard, another crew known for [15]destructive attacks .

The researchers added that this type of attack has only ever been seen once before: the [16]AcidRain wiper case , which has been [17]attributed to Sandworm and was used to take out KA-SAT modems used in Ukraine as a prelude to Russia's invasion.

Black Lotus asserts a high level of confidence that "the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN [autonomous system number]." ®

Get our [18]Tech Resources



[1] https://blog.lumen.com/the-pumpkin-eclipse/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZllLZX2I2zNRPMmDxkTVfwAAAMY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://www.opencve.io/cve?vendor=actiontec

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZllLZX2I2zNRPMmDxkTVfwAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZllLZX2I2zNRPMmDxkTVfwAAAMY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://kelo.com/2024/05/30/hundreds-of-thousands-of-us-internet-routers-destroyed-in-newly-discovered-2023-hack/

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZllLZX2I2zNRPMmDxkTVfwAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/

[9] https://www.theregister.com/2024/01/31/volt_typhoon_botnet/

[10] https://www.theregister.com/2024/02/28/ubiquiti_botnet_second_warning/

[11] https://www.theregister.com/2024/05/30/euro_cops_disrupt_malware_droppers/

[12] https://www.theregister.com/2024/05/29/911s5_botnet_arrest/

[13] https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/

[14] https://www.theregister.com/2024/01/31/volt_typhoon_botnet/

[15] https://www.theregister.com/2024/04/17/russia_sandworm_cyberattacks_water/

[16] https://www.theregister.com/2022/04/29/wiper_attacks_jump_500_percent/

[17] https://www.theregister.com/2022/04/27/feds_10m_reward_sandworm/

[18] https://whitepapers.theregister.com/



I was working on a case. It had to be a case, because I couldn't afford a
desk. Then I saw her. This tall blond lady. She must have been tall
because I was on the third floor. She rolled her deep blue eyes towards
me. I picked them up and rolled them back. We kissed. She screamed. I
took the cigarette from my mouth and kissed her again.