The Pumpkin Eclipse

Summary:
Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Black Lotus Labs’ analysis identified “Chalubo,” a commodity remote access trojan (RAT), as the primary payload responsible for the event. This trojan, first identified in 2018, employed savvy tradecraft to obfuscate its activity. It removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot. We suspect the Lua functionality was likely employed by the malicious actor to retrieve the destructive payload. Lumen’s global telemetry indicates the Chalubo malware family was highly active in November 2023 and remained so into early 2024. Based on a 30-day snapshot in October, Lumen identified over 330,000 unique IP addresses that communicated with one of 75 observed C2 nodes for at least two days, indicating a confirmed infection. This report analyzes open-source observations surrounding the attack and transitions into discussing the infection process we observed in October 2023. We will dissect the malware functionality, subsequent malware families dropped, and the malware family’s global footprint. Black Lotus Labs says the particular ISP serves vulnerable communities in the United States and suffered a 49% reduction in operating modems due to the 'Pumpkin Eclipse' incident.

Analyst Comment:
Black Lotus Labs suspects the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit. At this time, they have not observed an overlap between this activity and any known nation-state activity clusters. They assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though they expected to see a number of router make and models affected across the internet, this event was confined to the single ASN. Most previous campaigns witnessed target a specific router model or common vulnerability and have effects across multiple providers’ networks. Destructive attacks of this nature are highly concerning, especially so in this case due to that a sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records. Recovery from any supply chain disruption takes longer in isolated or vulnerable communities who do not have specific mitigation measures in place for attacks like this.

Suggested Corrections:
Black Lotus Labs has published IOCs relevant to this campaign and malware on their GitHub page.

To protect networks from equipment-based compromises Black Lotus Labs recommend the following:

  • Organizations that manage SOHO routers: make sure devices do not rely upon common default passwords. They should also ensure that the management interfaces are properly secured and not accessible via the internet. For more information on securing management interfaces, please see DHS’ CISA BoD 23-02 on securing networking equipment.
  • Consumers with SOHO routers: Users should follow best practices of regularly rebooting routers and installing security updates and patches. For guidance on how to perform these actions, please see the “best practices” document prepared by Canadian Centre for Cybersecurity.

Link(s):
https://blog.lumen.com/the-pumpkin-eclipse/

https://www.bleepingcomputer.com/news/security/malware-botnet-bricked-600-000-routers-in-mysterious-2023-attack/