WHY THIS MATTERS IN BRIEF
It used to be the case you could reset your hardware, but this is the second example of malware bricking hardware with no way to recover or restart it.
Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trends, connect, watch a keynote, or browse my blog.
A while ago I spoke about how a mystery hacking group managed to brick, in other words physically disable and ergo ruin, E-Mail routers from Baraccuda Networks. And now it’s happened again but on a much larger – and smaller – scale after unknown miscreants it’s reported broke into more than 600,000 routers belonging to a single ISP late last year and deployed malware on the devices before totally disabling them, according to security researchers.
The cyber attack, which wasn’t reported at the time, took place over a 72-hour period between October 25 and 27, 2023. It “rendered the infected devices permanently inoperable, and required a hardware-based replacement,” according to US telco Lumen Technologies’ Black Lotus Labs, which published details about the destructive event on Thursday and named it “Pumpkin Eclipse.”
The Future of. Cyber Security, by keynote Matthew Griffin
It seems the mysterious intruders specifically targeted two different routers – ActionTec’s T3200 and T3260 – but it’s unclear how they gained access.
“When searching for exploits impacting these models in [vulnerability alerting platform] OpenCVE for ActionTec, none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface,” the Black Lotus researchers opined – without naming the impacted ISP. It’s been speculated that Arkansas-based Windstream was the victim, but the ISP declined to comment.
Black Lotus revealed the unknown attackers broke the 600,000-plus routers using Chalubo – a Remote Access Trojan (RAT), variants of which in the past have been used to blow up chemical plants.
The malware has been around since 2018 and has built-in features to encrypt communications with the command-and-control server, perform Distributed-Denial-of-Service attacks, and execute Lua scripts on infected devices. Oddly, the criminals didn’t use the DDoS functionality, we’re told.
What if you could brick a Smart City?
“At this time, we do not have an overlap between this activity and any known nation-state activity clusters,” the threat hunters wrote.
Specifically, there’s no overlap with China’s Volt Typhoon, which also has an affinity for infecting routers, or Russia’s Sandworm, aka SeaShell Blizzard, another crew known for destructive attacks.
The researchers added that this specific type of attack has only ever been seen once before: the AcidRain wiper case, which has been attributed to Sandworm and was used to take out KA-SAT modems used in Ukraine as a prelude to Russia’s invasion.
Black Lotus asserts a high level of confidence that “the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN [Autonomous System Number].”
The post Mystery hacking group bricked 600,000 modems in the US appeared first on Matthew Griffin | Keynote Speaker & Master Futurist.