Mystery malware destroys 600,000 routers from a single ISP during 72-hour span

[itman 1,710]

Makes me believe this was a test run for something much larger in the future;

Quote

One day last October, subscribers to an ISP known as Windstream began flooding message boards with reports their routers had suddenly stopped working and remained unresponsive to reboots and all other attempts to revive them.

“The routers now just sit there with a steady red light on the front,” one user wrote, referring to the ActionTec T3200 router models Windstream provided to both them and a next door neighbor. “They won't even respond to a RESET.”

In the messages—which appeared over a few days beginning on October 25—many Windstream users blamed the ISP for the mass bricking. They said it was the result of the company pushing updates that poisoned the devices. Windstream’s Kinetic broadband service has about 1.6 million subscribers in 18 states, including Iowa, Alabama, Arkansas, Georgia, and Kentucky. For many customers, Kinetic provides an essential link to the outside world.

“We have 3 kids and both work from home,” another subscriber wrote in the same forum. “This has easily cost us $1,500+ in lost business, no tv, WiFi, hours on the phone, etc. So sad that a company can treat customers like this and not care.”

After eventually determining that the routers were permanently unusable, Windstream sent new routers to affected customers. Black Lotus has named the event Pumpkin Eclipse.

A deliberate act

A report published Thursday by security firm Lumen Technologies’ Black Lotus Labs may shed new light on the incident, which Windstream has yet to explain. Black Lotus Labs researchers said that over a 72-hour period beginning on October 25, malware took out more than 600,000 routers connected to a single autonomous system number, or ASN, belonging to an unnamed ISP.

https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/

Edited May 30 by itman

[TheStill 29]

I get the need to get people back online as soon as possible. But just reissuing the same routers again makes me wonder if there was more to this story than is being reported. Possibly that the ISP knew what was happening but calculated it would be cheaper to just issue new routers than make any ransom payments. 

What's to stop the people behind this trying again a few weeks later and bricking all the new routers again? 

[itman 1,710]

My suspicion is this was a multi-staged attack.

The first part entailed a supply chain compromise whereby hacked firmware was delivered and installed on Windstream servers. The finally part most likely involved a personnel compromise in some form that allowed the attacker to push the compromised firmware to all Windstream customer routers as an auto update. Refer to the infamous Petya attack: https://en.wikipedia.org/wiki/Petya_(malware_family) a few years back as an example. Most disturbing is there appears to be a recent uptick in this type of activity.

Edited May 31 by itman

[itman 1,710]

There is another explanation here to this incident and it does not involve malicious activity. First, some additional detail.

It is a common practice by ISP's, at least in the U.S., to issue O.E.M routers with custom modified firmware. AT&T does this to the millions of residential routers they provide their customers. In AT&T's case, it is to support the 6rd tunneling performed on their network.

Assumed is AT&T performs the custom firmware modifications internally given the size of the organization. Windstream being much smaller in size, most likely farms out their required firmware mods. to a third party. Stated in the Arstechnica article is Winstream issues Actiontec routers.

It is entirely plausible that Windstream received a bad firmware update from their third party source. They never quality control internally tested the firmware update prior to pushing the auto update to their residential customers. Crap like this unfortunately does happen. Given the cost to reissue 600,000 new routers, this incident is something Windstream would want withheld from the public domain.

Edited May 31 by itman

[itman 1,710]

Confirmed. It was a malware attack;

Quote

Now, months later, Lumen's analysis has revealed a commodity remote access trojan (RAT) called Chalubo – a stealthy malware first documented by Sophos in October 2018 – as responsible for the sabotage, with the adversary opting for it presumably in an effort to complicate attribution efforts rather than use a custom toolkit.

"Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot," the company said. "We suspect the Lua functionality was likely employed by the malicious actor to retrieve the destructive payload."

That said, the exact initial access method used to breach the routers is currently unclear, although it's theorized that it may have involved the abuse of weak credentials or exploited an exposed administrative interface.

Upon gaining a successful foothold, the infection chain proceeds to drop shell scripts that pave the way for a loader ultimately designed to retrieve and launch Chalubo from an external server. The destructive Lua script module fetched by the trojan is unknown.

https://www.bleepingcomputer.com/news/security/malware-botnet-bricked-600-000-routers-in-mysterious-2023-attack/

Edited May 31 by itman

[itman 1,710]

Possibly related: https://samcurry.net/hacking-millions-of-modems . The vulnerability was patched by Cox within 24 hours of notification. But if Cox modems could be hacked, well ...............