May 31, 2024 at 07:36AM
Over 600,000 small office/home office (SOHO) routers of a single ISP were disabled by the Chalubo remote access trojan (RAT) in a deliberate event, impacting model from ActionTec and Sagemcom. The incident occurred over 72 hours in late October 2023. Lumen Technologies reported 49% of the impacted routers were offline and may need physical replacement.
Based on the meeting notes, here are the key takeaways:
1. Over 600,000 small office/home office (SOHO) routers, belonging to a single internet service provider (ISP), were rendered inoperable in a destructive event involving the Chalubo remote access trojan (RAT).
2. The impacted router models, from ActionTec and Sagemcom, were confined to the ISP’s autonomous system number (ASN) and were likely infected with the Chalubo RAT, resulting in a 72-hour long destructive incident between October 25 and October 27, 2023.
3. Roughly 49% of the impacted ASNs’ modems were taken offline, and around 179,000 ActionTec and 480,000 Sagemcom routers may have been affected, requiring physical replacement.
4. Lumen Technologies attributes the event to a deliberate act, aimed at causing an outage, and noted the absence of evidence linking the incident to known nation-state actors.
5. The Chalubo malware, initially discovered in 2018, has been used to ensnare devices into a botnet capable of launching distributed denial-of-service (DDoS) attacks and executing Lua scripts on infected devices, with most infections reported in the US.
6. Lumen identified hundreds of thousands of Chalubo bots worldwide, interacting with multiple malware panels used by the threat actors, with one specific panel utilized during the recent disruptive attack, potentially purchased to hinder attribution.
7. The choice of Chalubo as the malware for the attack suggests that the threat actors opted for a commodity malware family to obfuscate attribution instead of using a custom-developed toolkit.
Additionally, the meeting notes provide related information on cybersecurity threats to router infrastructure, including urging the cleanup of routers infected by APT28 and highlighting vulnerabilities in Sierra Wireless and Technicolor routers.
Let me know if there’s anything else you require or if you need further information on any specific aspect of the meeting notes.