In a coordinated attack by an unknown threat actor, more than 600,000 small home/office routers belonging to the same ISP were rendered useless for over 72 hours. The incident occurred between October 25 and 27, 2023 and affected ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380 router models. Most of the affected routers were located in the US.
The affected routers were connected to the ISP’s autonomous system number (ASN). Security researchers from Lumen claim that the routers were likely targeted by Chalubo, a remote access trojan (RAT) that can trap the affected device in a botnet. Lumen’s report claims that nearly 179,000 ActionTec and 480,000 Sagemcom routers might have been affected by the attack, with over 49% of the affected devices being taken offline.
The threat actor behind the incident remains unknown, but investigation reveals the Chalubo RAT was chosen to obfuscate attribution likely. However, there’s no evidence of any similarities between the incident and any known state-backed threat actors.
As for the Chalubo RAT, it was initially discovered in 2018, and since then, hundreds of thousands of Chalubo bots have been detected worldwide. Each of these bots interacts with one of the tends of malware panels the botnet admin was discovered to be operating between September and November 2023.
Only one such panel was used in the attack. Based on a 30-day snapshot in October, researchers identified over 330,000 unique IP addresses that communicated with one of the 75 observed command and control nodes for the RAT.
Besides the damage caused by the outage, this attack stands out for two reasons. The first is the sheer scale of the attack. Lumen states that it hasn’t seen an attack affecting over 600,000 routers in a single attack wave before, calling for the replacement of all targeted units due to the RAT’s ability to reside inside the affected device’s memory.
Secondly, all affected routers belonged to a single ASN. Generally speaking, such attacks target a specific brand/model of routers or vulnerability that comes to light, which affects multiple service providers. However, since all affected routers belong to the same ISP, Lumen assesses that it wasn’t the result of a faulty firmware update by a single manufacturer.
The researchers claim that the attack was a deliberate attempt to cause an outage. The investigation also revealed that while Chalubo was used in this destructive attack, the malware wasn’t written specifically for destructive actions. The threat actor behind the attack is suspected of having used Chalubo as commodity malware to hide themselves instead of using a custom-developed toolkit, which might’ve revealed their identity.
In the News: Spotify issues refunds for Car Thing amidst legal action
