May 31, 2024 at 02:07PM
Between October 25-27, 2023, a cyber attack dubbed Pumpkin Eclipse bricked over 600,000 SOHO routers from a U.S. ISP, impacting access to the internet. Months later, analysis revealed the Chalubo RAT’s involvement. The attack targeted a single ASN, utilizing Lua functionality and exploiting weak credentials, raising questions about its purpose and motivation.
Key takeaways from the meeting notes:
1. Between October 25 and 27, 2023, a cyber attack codenamed Pumpkin Eclipse disrupted internet access for users of a US ISP, leading to the bricking of over 600,000 SOHO routers and a 49% modem removal from the ISP’s ASN.
2. The attack was attributed to a commodity remote access trojan (RAT) called Chalubo, known for DDoS attack capabilities, Lua script execution, and attacking SOHO/IoT kernels.
3. The attack involved the use of weak credentials or an exposed administrative interface to breach routers.
4. The sabotage involved dropping shell scripts and a loader to retrieve and launch Chalubo from an external server, with the exact Lua script module unknown.
5. The attack’s targeting of a single ASN, rather than specific router models or common vulnerabilities, suggests deliberate targeting, with unclear motivations.
6. This attack stands out due to the sheer number of affected devices necessitating hardware replacement, marking an unprecedented event.
Please let me know if you need further information or analysis!