600,000 routers taken offline in three-day attack
An unknown attacker has been confirmed to have rendered more than 600,000 routers from a single Internet service provider effectively unusable via a malicious firmware update, with customers reporting that the routers had stopped working, displayed a solid red light and were unable to be rebooted.
Security researchers at Lumen Technologies' Black Lotus Labs have published a detailed analysis of a highly unusual incident that occurred over the course of a 72-hour period in October 2023. The incident, described in the report as a devastating event, caused a small office/home office internet router, identified as an ActionTec T3200 model, to be “permanently rendered inoperable, necessitating a hardware-based replacement.”
The researchers said their scans revealed that 49% of all modems had suddenly been removed from their ISP's autonomous system number – a collection of Internet Protocol routing prefixes that belong to a single network operator.
DDoS attack used Chalubo Trojan to inject malicious firmware updates
The attack appears to have been carried out using a remote access trojan called Chalubo, first discovered in 2018. Known for containing customized payloads for SOHO routers and IoT devices, Chalubo is capable of executing malicious scripts to carry out distributed denial of service attacks.
“We suspect that the threat actors behind this incident opted for a common malware family to obscure attribution, instead of using a custom-developed toolkit,” the researchers said. However, the motive for the attack remains unclear, and Black Lotus Labs said it found no “known nation-state activity clusters” associated with the attack.
However, researchers determined with a “high degree of confidence” that this was not an accident, but a deliberate act intended to cause an internet outage, or denial of service.
The publication lists Windstream as an affected internet service provider.
The Black Lotus Labs report didn't name the ISP involved, but Ars Technica reports it is Windstream, based on details it received from Windstream subscribers around the same time in October and the same model of the affected routers.
I've reached out to Windstream for a statement, and my understanding is that customers affected by this attack were provided with new routers as quickly as possible.
