A mysterious cyber attack has resulted in the bricking of over 600,000 small office/home office (SOHO) routers in the United States, causing significant disruption to internet access. Codenamed Pumpkin Eclipse, the attack occurred between October 25 and 27, 2023, targeting three router models issued by an undisclosed internet service provider (ISP). The affected routers, including ActionTec T3200, ActionTec T3260, and Sagemcom, were rendered permanently inoperable, requiring hardware-based replacement.
The scale and impact of the attack are unprecedented, with the affected ISP experiencing the removal of 49% of all modems from its autonomous system number (ASN) during the attack period. While the identity of the ISP remains undisclosed, evidence suggests it could be Windstream, which suffered a similar outage around the same time. Analysis conducted months later by Lumen’s Black Lotus Labs team revealed the use of the Chalubo remote access trojan (RAT) as the weapon of choice by the attackers.
Chalubo, a commodity RAT documented by Sophos in October 2018, is known for its stealthy capabilities and DDoS attack functionality. The attackers likely chose Chalubo to obfuscate attribution efforts, opting for a commodity malware instead of a custom toolkit. The exact method of initial access to the routers remains unclear, but weak credentials or exploited administrative interfaces are suspected. The targeting of a single ASN in the attack raises questions about the motive behind the incident, as previous attacks have typically focused on specific router models or vulnerabilities.
