Recent reports indicate that over 600,000 small office/home office (SOHO) routers have been disabled following a severe cyber attack attributed to unknown malicious actors, significantly disrupting internet access for users. This incident is particularly noteworthy for its scale and implications on cybersecurity infrastructure.

The attack, which has been labeled Pumpkin Eclipse by the Black Lotus Labs team at Lumen Technologies, transpired from October 25 to October 27, 2023, affecting a specific internet service provider (ISP) in the United States. The cyber intrusion primarily targeted three router models provided by the ISP: ActionTec T3200, ActionTec T3260, and Sagemcom.

According to the technical report released by Lumen, the attack rendered the compromised devices non-operational, necessitating hardware replacement. “The event unfolded within a 72-hour window between October 25-27, ultimately resulting in the destruction of the infected routers,” stated the report.

The blackout turned out to be significant, as it accounted for nearly half of all modems associated with the affected ISP’s autonomous system number during that critical period. While the email disclosing the ISP’s identity remained undisclosed, it is suspected to be Windstream, as users reported issues with their modems displaying a steady red light during the timeframe of the attack.

Intriguingly, Lumen’s follow-up analysis linked the attack to a well-known commodity remote access trojan (RAT) named Chalubo, which was first identified by Sophos in October 2018. This suggests that the attackers opted for a widely available malware variant to obscure their tracks rather than utilizing bespoke tools.

Chalubo is designed with payloads that support major SOHO and IoT kernels and includes pre-existing functionalities for executing DDoS attacks, alongside the ability to run Lua scripts delivered to the bot. “We suspect that Lua capabilities were utilized to retrieve the damaging payload,” Lumen mentioned.

The specific method of initial access that permitted the attackers to breach the routers remains unclear; however, there is speculation that they may have exploited weak passwords or leveraged unsecured administrative interfaces. Once they gained entry, the malware laid groundwork through shell scripts, ultimately fetching the Chalubo trojan from an external server. The exact nature of the destructive Lua script that was executed is still determined.

This campaign’s distinctive targeting of a single autonomous system number is noteworthy. Unlike previous incidents that focused on particular router models or universal vulnerabilities, this attack appears to have been intentional, although the underlying motivations remain ambiguous.

Lumen’s findings emphasize the unprecedented nature of this incident, marking it as one of the few known attacks that necessitated the replacement of over 600,000 devices. They further highlighted that similar large-scale attacks have been infrequently seen, with only one prior event linked to an orchestrated military action, known as AcidRain.