WTF?! Cybercriminals can do lasting damage to internet routers protected by weak credentials by exploiting the right remote access features. Black Lotus researchers discovered one such "destructive" event last October that bricked hundreds of thousands of routers.
Analysts at Black Lotus Labs dubbed the cyber-incident the "Pumpkin Eclipse," as it was felt across several Midwest states by the end of October last year. Between October 25 and 27, over 600,000 small office/home office (SOHO) routers were taken offline, unable to access the internet.
The unnamed criminals targeted two router models manufactured by ActionTec (T3200, T3260), but the method used to access those devices is still unknown. The hackers didn't use exploits or zero-day vulnerabilities, which suggests they used brute force to attack weak authentication credentials or may have entered through an exposed administrative interface.
Once in, the cyber-criminals used a well-known remote access trojan (RAT) named Chalubo to download and install malicious firmware on the compromised routers. The firmware rendered the SOHO devices "permanently inoperable," forcing the ISP to replace them to restore internet connectivity. Security researchers have known about the Chalubo RAT since 2018. The malware has advanced features such as encrypted communications, DDoS capabilities, and custom Lua script execution.
Black Lotus didn't disclose the provider's name, but the incident correlates to a widespread internet outage suffered by customers of Arkansas-based ISP Windstream. Both Windstream and the FBI declined to provide any statement about the incident despite this being a "highly concerning" cyber-attack with unknown motivations.
A sizable portion of Windstream's internet service covers rural or underserved communities where internet connectivity is employed to connect to emergency services, monitor crops remotely, or manage healthcare applications. A few Windstream Reddit users publicly disclosed that they had suffered a weird internet outage, with the incident beginning around October 25.
The cyber-criminals weren't interested in exploiting the infected routers to manage some powerful DDoS attack. Black Lotus did not observe any "overlapping" activities by known nation-state groups during the Pumpkin Eclipse incident, meaning that the unknown criminals simply decided to brick everything for reasons no one has been able to explain yet.