May 30, 2024 at 02:57PM
The ‘Pumpkin Eclipse’ botnet attack in October 2023 targeted a specific ISP in the Midwest, resulting in the destruction of 600,000 SOHO routers, disrupting internet access for customers. The attackers used a destructive botnet named Chalubo and its unique aspects suggest a deliberate, unattributed cyber attack. The incident caused significant financial damage and required hardware replacements.
Key Takeaways from the Meeting Notes:
– The ‘Pumpkin Eclipse’ malware botnet caused a destructive event in October 2023, leading to the disruption of internet access for over 600,000 office/home office (SOHO) internet routers. The incident affected a single internet service provider (ISP) and targeted specific router models: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380.
– The impact was observed across numerous Midwest states between October 25 and October 27, 2023, resulting in a 49% reduction in operating modems for the affected ISP.
– Analysis by Lumen’s Black Lotus Labs revealed that the botnet attack led to the routers being permanently inoperable and required hardware replacements for affected devices.
– The attackers utilized a botnet payload called ‘Chalubo’ (“mips.elf”), which was executed from memory to evade detection. The bot communicated with command and control (C2) servers using ChaCha20 encryption and had the ability to receive commands through Lua scripts for data exfiltration, module downloading, and introducing new payloads.
– While the attack was found to have a distributed denial of service (DDoS) functionality, there were no observed DDoS attacks from the botnet.
– The attack had a focused impact, targeting a specific ISP and specific router models, leading to the belief that it was a deliberate action by an unattributed malicious cyber actor.
– The researchers were unable to recover the specific payload used to brick the routers, highlighting the sophistication of the attack.
– This incident is noteworthy as it marks the first time, apart from the “AcidRain” incident, that a botnet malware was ordered to destroy its hosts and cause large-scale financial damage by imposing hardware replacements.
Please let me know if you need further details or information.