Sometimes unplugging the router and plugging it back in doesn’t solve the network issue.
The Black Lotus Labs team from telecom company Lumen Technologies revealed a security incident that led to over 600,000 routers going offline, rendering many of the small-office and home-office devices “permanently inoperable” and requiring a hardware-based replacement.
The shutdown, reportedly caused by remote malware, demonstrates an unusual network security incident impacting residential devices frequently not configured with enterprise-level access control measures to prevent attacks, according to one IT pro.
“This type of attack is so rare because it doesn’t net the attacker anything,” Ryan English, information security engineer at Lumen, told IT Brew.
“It’s more likely that you’re going to get hit by lightning than you’re going to be in an [internet service provider] that gets all of its routers bricked,” he said.
But a bricking did happen to at least some of the routers, according to English’s team’s report, taking place over a 72-hour period between October 25–27, when “Chalubo,” a commodity remote access trojan (RAT) “removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server.”
The ISP (which neither English nor the Lumen report have identified) did not share details with Lumen about the initial entry point, leaving English to speculate on three suspects for the outage:
- A disgruntled employee
- A hacker or hacking group trying to boost their reputation
- A nation-state actor conducting a proof of concept
“The initial access vector was probably tailor-made for those devices that we saw affected. And if that’s the case, there’s the fear of things that you can control, and then there’s the acceptance of things that you cannot control. This is one of those: Accept the things you can’t control,” English said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“This type of attack has only ever happened once before,” the Lumen writers wrote in the conclusion of their May report, citing a 2022 cyberattack, detailed by SentinelLabs, that rendered Viasat KA-SAT modems inoperable in Ukraine.
English’s greater router-related concern, generally: known exploits on vulnerable, end-of-life (EOL) routers that allow attackers to form networks of infected devices, or botnets.
In February, the FBI and other agencies published an advisory warning of Russian state-sponsored cyber actors’ use of compromised routers “to collect credentials, proxy network traffic, and host spoofed landing pages and custom post-exploitation tools.” (The Department of Justice and Lumen, in a separate March 2024 report, detailed botnets targeting EOL routers.)
“A lot of times, whatever shipped to the software that shipped with those devices might stay on there indefinitely. So, if an attacker is able to find an exploit in that, they have a pretty wide area of attack, knowing that those devices aren’t particularly upgraded very often, if at all,” Andrew Taylor, director of technology practice at consultancy West Monroe, told IT Brew.
While acknowledging the rare, accept-what-you-can’t-control nature of the incident, labeled “Pumpkin Eclipse,” English recommends best practices to avoid being botnetted: replacing end-of-life devices, rebooting the router regularly (to dismiss malware in temporary storage), using multi-factor authentication for router-connected services, deploying complex passwords, and actively searching for updates.
“600,000 routers, in the Pumpkin Eclipse report, is a fraction of the number of end-of-life routers that are out there in the world,” English said.