Mystery Malware Destroys 600,000 Routers From a Single ISP During 72-hour Span
A widespread outage affecting over 600,000 routers connected to Windstream's Kinetic broadband service left customers without internet access for several days last October, according to a report by security firm Lumen Technologies' Black Lotus Labs. The incident, dubbed "Pumpkin Eclipse," is believed to be the result of a deliberate attack using commodity malware known as Chalubo to overwrite router firmware. Windstream, which has about 1.6 million subscribers in 18 states, has not provided an explanation for the outage. The company sent replacement routers to affected customers, many of whom reported significant financial losses due to the disruption. ArsTechnica adds: After learning of the mass router outage, Black Lotus began querying the Censys search engine for the affected router models. A one-week snapshot soon revealed that one specific ASN experienced a 49 percent drop in those models just as the reports began. This amounted to the disconnection of at least 179,000 ActionTec routers and more than 480,000 routers sold by Sagemcom. The constant connecting and disconnecting of routers to any ISP complicates the tracking process, because it's impossible to know if a disappearance is the result of the normal churn or something more complicated. Black Lotus said that a conservative estimate is that at least 600,000 of the disconnections it tracked were the result of Chaluba infecting the devices and, from there, permanently wiping the firmware they ran on. After identifying the ASN, Black Lotus discovered a complex multi-path infection mechanism for installing Chaluba on the routers.
Read more of this story at Slashdot.