An information security firm has published details of a large-scale malware attack in October last year that resulted in over 600,000 small and home office (SOHO) gateways being rendered permanently inoperable in just 72 hours, with the devices needing to be physically replaced.
Researchers at security vendor Lumen Technologies' Black Lotus Labs said the attack using the 'Chalubo' remote access trojan (RAT), first found in 2018, was used to deploy a destructive payload at the end of October last year.
Residential and small office broadband routers connected to the Internet are often not patched against security vulnerabilities, leaving them as sitting ducks for attackers to exploit in large numbers. Regularly rebooting routers, and installing any available security updates may help to mitigate against vulnerabilities, along with updating the devices themselves as they become old and no longer supported.
Black Lotus Labs said the 'Chalubo" RAT obfuscated its presence and activity while on the routers, by removing all files from disks to run in memory only. It would also assume a random process name that was already present on the router, and encrypted all communications with the attacker's command and control (C2) server.
How exactly the attacker got initial access on the routers is not yet know, but Black Lotus Labs believes it was done through exploiting weak login credentials, or via an exposed device administrative interface. The modular malware would retrieve and run a destructive payload, which Black Lotus Labs has not been able to recover as 'Chalubo' and the scripts it deployed would delete all traces of malicious code from the routers.
The attacked routers were from United States company ActionTec, and France's Sagemcom. A single autonomous system number (ASN) network assigned to an internet provider that focused on rural customers was targeted by the attacker, the researchers said.
Why that network was attacked is not known. Black Lotus Labs pointed out the attack was highly concerning, and likely to have caused the ISP customers plenty of grief.
A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records. Needless to say, recovery from any supply chain disruption takes longer in isolated or vulnerable communities.
In March this year, Black Lotus Labs said it had unearthed another malware campaign targeting 6000 routers made by Taiwanese IT giant ASUS. The devices were old, end-of-life, and were attacked with 'TheMoon' malware which has been in existence since 2014.
Compromised routers were used as part of a botnet that provided an anonymising proxy service.
5 Comments
Pretty poor firmware/hardware if it can be bricked these days on modern devices. It may have been temporarily bricked and may even needed physical replacement to get back up and running as fast as possible, but it should still be designed to be recoverable these days with a decent loader.
Actually its as trivial as logging on to a device left with its default password, well known and the same for all devices, then applying an upgrade, but with a malicious file. The take away is, make sure your router is not configured with its default configuration password.
Most home routers are not secured operating in default mode
Many of the popular routers have vulnerabilities. For example, if a hacker can log onto your Wi-Fi network, they can access all Wi-Fi run devices in the home, including smart devices, fire and security systems and monitor your web traffic. And they can do this anytime, 24/7.
Correct. Home Wifi networks are possibly less of a risk because of limited access. A public Wifi network accessible to many users, set up by -- for example -- by a small organisation which is unaware of security is more of a problem. And not just because software can be upgraded. If the configured DNS server address can be modified traffic can be routed to any destination. TLS server authentication may help prevent this, but in some situations a user could bypass or ignore a warning and give away log in details or other information. Which is one reason we are told not to use public Wifi for sensitive information.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.