‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair
Kit from ActionTec and Sagemcom remotely ruined and required replacement.
Almost half of Windstream’s Kinetic broadband users found their home routers completely dead, thanks to a malicious botnet known as Chalubo. This happened seven months ago, but has only now come to light—via researchers who dubbed it Pumpkin Eclipse.
It has echoes of Ukrainian ISP modems mysteriously self destructing, just before the 2022 Russian invasion. In today’s SB Blogwatch, we wonder if this was a test of something bigger.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Quartails.
Pumpkin Eclipse: Daft Name, Serious Risk
What’s the craic? Reuters’ Christopher Bing reports: Hundreds of thousands of US internet routers destroyed
“Malicious firmware update”
An unidentified hacking group launched a massive cyberattack on a telecommunications company in the U.S. heartland late last year that disabled hundreds of thousands of internet routers. … The October incident, which was not disclosed at the time, took more than 600,000 internet routers offline. Independent experts said it appeared to be one of the most serious cyberattacks ever against America’s telecommunications sector.
…
Windstream customers posted complaints about a strange outage beginning around Oct. 25. [They] described how their routers would not connect to their internet provider so they could not access the internet. … The internet routers were disabled when a malicious firmware update sent to the company’s customers deleted elements of the routers’ operational code, making them effectively inoperable. … The users said Windstream was requiring them to return their disabled routers for new devices because a remote fix did not seem possible.
Were the routers really “destroyed?” Bleeping Bill Toulas’s headline is more nuanced: Botnet bricked 600,000 routers
“Exposed administrative interface”
A malware botnet named ‘Pumpkin Eclipse’ performed a mysterious destructive event in 2023. … It disrupted internet access across numerous Midwest states between October 25 and October 27, 2023. This left owners of the infected devices with no option but to replace the routers.
…
The incident [affected] three models of routers used by the firm: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380. … The attackers either used an unknown zero-day flaw or exploited weak credentials in combination with an exposed administrative interface.
Who discovered it? Lumen’s Black Lotus Labs, who gave it a silly name: Pumpkin Eclipse
“Precursor to an active military invasion”
Public scan data confirmed the sudden and precipitous removal of 49% of all modems from the impacted ISP … over a 72-hour period. … “Chalubo,” a commodity remote access trojan (RAT), [was] the primary payload responsible for the event. This Trojan, first identified in 2018, employed savvy tradecraft to obfuscate its activity.
…
Destructive attacks of this nature are highly concerning. … A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records.
…
We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage. … This type of attack has only ever happened once before, … as a precursor to an active military invasion. At this time, we do not assess this to be the work of a nation-state or state-sponsored entity.
A test for future warfare tactics? Is that what Lumen’s implying? Mungus the Unhyphenated thinks not:
Bricking devices has high impact once — after the attack, the target will harden defenses and it’s likely that the attack won’t be possible again. [But] was this genuinely an attempt to just brick the routers, or was it a botched attempt to overwrite the firmware with a modified image containing a malicious payload?
…
It would be far more valuable to overwrite the routers’ firmware with a functional but modified image that either has an active malicious payload, or provisions for loading one on-demand later from a command-and-control network. With that in place — particularly if the package can survive across reboots, then the attacker would be well-positioned for intercepting traffic in order to scoop up credentials and user data, achieve penetration into customers’ LANs, etc. A far more lucrative and long-term attack; it would essentially be a router-firmware based APT.
However, sarren1901 disagrees:
This could easily be a test run by a nation-state that wanted to see how disruptive not having Internet would be. … This attack was also done only to devices connected to a single ASN, further leading me to believe this could just be a test.
…
Imagine if this same unknown attack group were to figure out the simple majority of routers that your average American household uses and then works to exploit them in an orchestrated attack. Then have that happen about a day or two before the November elections. It could definitely be a major problem.
Have we shaved with Hanlon’s razor yet? u/SquareD8854 ascribes it to incompetence:
I remember when Windstream had the Code Red ordeal and all the Cisco routers had the same password and got flashed. … They would not listen to the engineers and shut it down and stop it from spreading, but kept the network up until it spread to all 22 states.
Is there even a technical solution? sounds thinks that’s unlikely:
Likely can’t be fixed with a purely technical solution. … It’s an interesting challenge because the device is nominally “under ISP control,” but any device located in a customer’s home is under the physical control of the customer.
…
[So] the firmware, including the backup, can be overwritten by the ISP, but then cannot recover if it gets corrupted. And believe me, the corrupt firmware scenario happens a lot. … This is an arms race in a market segment such as routers where there isn’t any money for high end solutions.
True geeks scoff at your cheesy ISP supplied plastic box. Here’s Iphtashu Fitz:
Stories like this make me glad I use my own router and not an ISP supplied one. On the other hand, I feel really bad for the non-technical people out there who have to deal with this sort of mess.
Meanwhile, u/madmenisgood visualizes Schadenfreude:
As a previous customer of Windstream, this entire story warms my heart.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Peter Thomas (via Unsplash; leveled and cropped)
