Over 600,000 small office/home office (SOHO) routers belonging to a single Internet service provider (ISP) ended up taken offline over a 72-hour period between October 25-27, new research found.

As a result of the incident, the attack rendered the infected devices permanently inoperable, and required a hardware-based replacement, according to a report from Lumen Technologies’ Black Lotus Labs.

Public scan data confirmed the removal of 49 percent of all modems from the impacted ISP’s autonomous system number (ASN) during this time period, according to the report.

Black Lotus Labs identified “Chalubo,” a commodity remote access trojan (RAT), as the primary payload responsible for the event.

Hides Activity
This trojan, first identified in 2018, uses tricks to hide its activity. It removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server.

Schneider Bold

Researchers feel that is why there is only one report on the Chalubo malware family to date.

Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot. Researchers said they feel the Lua functionality was likely employed by the malicious actor to retrieve the destructive payload.

Lumen’s global telemetry indicates the Chalubo malware family was highly active in November 2023 and remained so into early 2024, the researchers said.

Based on a 30-day snapshot in October, Lumen identified over 330,000 unique IP addresses that communicated with one of 75 observed C2 nodes for at least two days, indicating a confirmed infection. This suggests while the Chalubo malware ended up used in this destructive attack, it was not written specifically for destructive actions.

The researchers feel the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit.

Researchers said with high confidence the malicious firmware update was a deliberate act intended to cause an outage. While they expected to see a number of router make and models affected across the internet, this event was confined to the single autonomous system number (ASN).

Cause and Effect
Destructive attacks of this nature are highly concerning, especially so in this case, the researchers said.

A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records. Needless to say, recovery from any supply chain disruption takes longer in isolated or vulnerable communities.

“This is my first awareness of a large-scale wiperware campaign in the U.S.,” said Roger Grimes, data-driven defense evangelist at KnowBe4. If something like this has happened before, I’m unaware of it. And what would be the motivation for malicious hackers to wipe out hundreds of thousands of unpatched modems? This also shows the need for auto-patching. Every consumer hardware device should always do aggressive auto-patching. Don’t involve a human. Just look for patches every day and download and install them. Most people never patch their hardware. This incident is proof of that.”

“This is an interesting case that appears to be borne from purely malicious intent as they physically wiped out devices using this service provider,” said Erich Kron, security awareness advocate at KnowBe4. “The sheer volume of impacted devices was bound to cause problems for the 600,000 impacted users trying to replace their modems at the same time in order to get back online. Furthermore, it seems that the impacted ISP works with vulnerable communities, making the attack that much worse. There certainly is a lesson to learn here about the possibility of bad actors, whether traditional cyber criminals or nation state actors, to be able to impact over half a million users at the drop of a hat. It is even more troubling that we are unaware of how this was done, meaning other devices could also be vulnerable to this attack.”

Click here for more details on the attack.


Pin It on Pinterest

Share This