Malware attack 'Pumpkin Eclipse' that destroyed 600,000 routers in just three days revealed
Over the course of several days from October 25, 2023, users of an internet service provider (ISP) called
The Pumpkin Eclipse - Lumen
https://blog.lumen.com/the-pumpkin-eclipse/
Mystery malware destroys 600,000 routers from a single ISP during 72-hour span | Ars Technica
https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/
Windstream is an ISP that provides Internet communications primarily in rural areas of the United States, with approximately 1.6 million subscribers as of 2023. On October 25, 2023, a Windstream user reported that their router had broken and they could no longer use the Internet.
One user posted on the overseas bulletin board Reddit, 'I've been using my T3200 modem for a while now, but today something I've never experienced before happened. The Internet light is red. Can this be fixed?' Similar reports were posted over the course of several days from October 25th, with users claiming that the router would not respond to the reset button and that they suffered various damages because they could not use the Internet.
Windstream ultimately determined that the affected routers were unusable and resolved the issue by sending new routers to affected users.
Then, on May 30, 2024, Black Lotus Labs published a report on a 'disruptive event that occurred over a 72-hour period from October 25 to 27, in which over 600,000 routers belonging to a single ISP were permanently disabled.' The report did not name the ISP, but the content and scale of the problem mentioned make it safe to assume that it was Windstream. Black Lotus Labs named this event ' Pumpkin Eclipse ' in reference to the fact that it occurred near Halloween.
According to Black Lotus Labs, a conservative estimate of 600,000 routers were attacked by an unknown threat actor with unknown motives, who carried out the attacks using commodity malware called
Chalubo's built-in functionality likely allowed the attackers to execute a custom Lua script on the router, permanently overwriting the router's firmware. 'We have high confidence that the malicious firmware update was a deliberate attack intended to cause an outage on the router,' Black Lotus Labs said in the report.
The unique feature of this attack is that more than 600,000 routers were destroyed at once, forcing them to be replaced. In addition, most previous attacks have targeted specific router models or general vulnerabilities and have been carried out across multiple ISPs, whereas this attack was limited to a specific ISP.
Black Lotus Labs told Ars Technica that so far it is not aware of a nation-state cybercriminal group behind the series of router-busting attacks, but that it cannot rule it out. It also said it has not determined how the malware first infected the routers, nor is it aware of any router vulnerabilities that the hackers may have exploited.
Related Posts: