June 27, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple WordPress Plugins Vulnerabilities
June 3, 2024
Ticketmaster Acknowledges Data Breach Following Online Sale of Stolen Data – Active IOCs
June 3, 2024
Multiple WordPress Plugins Vulnerabilities
June 3, 2024
Ticketmaster Acknowledges Data Breach Following Online Sale of Stolen Data – Active IOCs
June 3, 2024
Severity
High
Analysis Summary
Users' access to the internet was disrupted by a devastating cyberattack carried out by unidentified threat actors, resulting in an estimated 600,000 small office/home office (SOHO) routers being bricked and taken offline.
Dubbed Pumpkin Eclipse by cybersecurity researchers, the enigmatic incident occurred between October 25 and 27, 2023, and affected one internet service provider (ISP) in the United States. The ActionTec T3200, ActionTec T3260, and Sagemcom router models issued by the ISP were the three that were notably impacted by the incident. The event occurred over 72 hours on October 25–27, rendering the compromised devices permanently unusable and necessitating a replacement based on hardware.
Not least of all, the blackout caused 49% of all modems associated with the affected ISP's autonomous system number (ASN) to be abruptly removed during that period. Although the identity of the ISP remained undisclosed, indications suggest that it was Windstream, which experienced a disruption at the same moment, prompting consumers to report seeing a persistent red light on the affected modems.
Months later, researchers’ analysis has identified the adversary's choice of a commodity remote access trojan (RAT) named Chalubo, a stealthy malware first reported in October 2018, as the cause of the sabotage. The adversary likely chose Chalubo over a custom toolkit to make attribution efforts more difficult. In addition to having payloads made for all popular SOHO/IoT kernels, Chalubo comes equipped with built-in DDoS attack capabilities and can run any Lua script that is supplied to it. It is believed that the malicious actor most likely used the Lua capabilities to obtain the damaging payload.
Nevertheless, it's presently unknown exactly how the routers were compromised through the initial access method, while it's possible that it required using compromised credentials or taking advantage of an accessible administrative interface. After successfully establishing a foothold, the infection chain drops shell scripts, which open the door for a loader that is eventually intended to download and run Chalubo from a remote server. It is uncertain what damaging Lua script module the malware fetches.
One noteworthy feature of the campaign is that it only targets one ASN, although previous campaigns usually targeted a particular router model or widespread vulnerability. This suggests that the effort was intentionally targeted, albeit its exact goals are yet unknown. The sheer number of units impacted by the incident made it unusual; no previous attack has necessitated the replacement of more than 600,000 devices. Furthermore, there has only ever been one previous instance of this kind of attack, in which AcidRain was used as a pretext for a military invasion.
Impact
- Denial of Service
- Operational Disruption
- Unauthorized Remote Access
Indicators of Compromise
IP
- 104.233.210.119
Domain Name
- checkqazxsw1.com
URL
- http://coreconf.net/
- http://185.189.240.13/
- https://dh.id3cqcmgjcb.top/
- https://m.aiguoba.com/
- http://sainnguatc.com:8080/ASUHALUMNABTC/res.dat
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Immediately change default passwords on IoT devices to unique ones.
- Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
- Isolate IoT devices from critical systems by segmenting your network.
- Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
- Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
- Disable any unnecessary services or features on IoT devices to reduce their attack surface.
- Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
- Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
- Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.