A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office (SOHO) internet routers offline, disrupting customers' internet access.
According to researchers at Lumen's Black Lotus Labs, who observed the incident, it disrupted internet access across numerous Midwest states between October 25 and October 27, 2023. This left owners of the infected devices with no option but to replace the routers.
Although large-scale, the incident had a focused impact, affecting a single internet service provider (ISP) and three models of routers used by the firm: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380.
Black Lotus Labs says the particular ISP serves vulnerable communities in the United States and suffered a 49% reduction in operating modems due to the 'Pumpkin Eclipse' incident.
While Black Lotus did not name the ISP, it bears a striking resemblance to a Windstream outage that occurred during the same timeframe.
Starting on October 25, 2023, Windstream customers began reporting on Reddit that their routers were no longer working.
"So I've had a T3200 modem for a while now, but today, something happened that I've never experienced before. The internet light is showing solid red. What does it mean, and how do I fix it?," reported a user in the Winstream subreddit.
"Mine went down about 9PM last night, ignored until I had time to troubleshoot this afternoon. After going through the chatbot (and the T3200 not responding to the factory reset), it was pretty clear the router was the problem," said another user.
Subscribers impacted by the Windstream outage were told they needed to replace the routers with a new one to restore their internet access.
When contacted about the incident, Windstream told BleepingComputer that they do not have a comment.
Pumpkin Eclipse attack
Fast forward seven months and a new report by Black Lotus may finally shed some light on the incident, explaining that a botnet was responsible for bricking 600,000 routers across the midwest states at a single ISP in October 2023.
"Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Public scan data confirmed the sudden and precipitous removal of 49% of all modems from the impacted ISP’s autonomous system number (ASN) during this time period."
❖ Black Lotus LabsThe researchers couldn't find the vulnerability used for initial access, so the attackers either used an unknown zero-day flaw or exploited weak credentials in combination with an exposed administrative interface.
The first stage payload is a bash script named "get_scrpc," which executes to fetch a second script called "get_strtriiush," which is responsible for retrieving and executing the primary bot payload, 'Chalubo' ("mips.elf").
Chalubo is executed from memory to evade detection and uses ChaCha20 encryption when communicating with command and control (C2) servers to protect the communication channel, while it wipes all files from the disk and changes the process name once it's running.
The attacker can send commands to the bot through Lua scripts, which enable data exfiltration, downloading of additional modules, or introducing new payloads on the infected device.
Upon execution, which includes a 30-minute delay to evade sandboxes, the bot collects host-based information such as the MAC address, device ID, device type, device version, and local IP address.
Chalubo has distributed denial of service (DDoS) functionality, indicating Pumpkin Eclipse's operational goals. However, Black Lotus Labs did not observe any DDoS attacks from the botnet.
The analysts note that Chalubo misses a persistence mechanism, so rebooting the infected router disrupts the bot's operation.
Black Lotus Labs says its telemetry data indicates that Chalubo operates 45 malware panels communicating over 650,000 unique IP addresses from October 3 to November 3, most based in the United States.
Only one of these panels was used for the destructive attack and it focused on a specific American ISP, causing Black Lotus researchers to believe that the attacker purchased the Chalubo panel for the specific purpose of deploying the destructive payload on routers.
"The second unique aspect is that this campaign was confined to a particular ASN. Most previous campaigns we’ve seen target a specific router model or common vulnerability and have effects across multiple providers’ networks. In this instance, we observed that both Sagemcom and ActionTec devices were impacted at the same time, both within the same provider’s network. This led us to assess it was not the result of a faulty firmware update by a single manufacturer, which would normally be confined to one device model or models from a given company. Our analysis of the Censys data shows the impact was only for the two in question. This combination of factors led us to conclude the event was likely a deliberate action taken by an unattributed malicious cyber actor, even if we were not able to recover the destructive module." - Black Lotus
Unfortunately, the researchers could not find the payload used to brick the routers, so they were unable to determine how it was done or for what purpose.
Black Lotus Labs notes that this is the first time, apart from the "AcidRain" incident, that a botnet malware was ordered to destroy its hosts and cause large-scale financial damage by imposing hardware replacements.