Attackers use the Chalubo trojan to render over 600,000 ActionTec routers inoperable

Reports of malfunction first started coming in on October 25, 2023

Reading time icon 3 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

ActionTec Chalubo

A recently published report sheds light on what caused over 600,000 ActionTec routers to stop functioning altogether, reports of which first emerged in October’23. The two router models primarily affected were ActionTec T3200 and ActionTec T3260!

According to the report by Lumen Technologies’s Black Lotus Labs, thousands of users, subscribed to a single ISP (Internet Service Provider), started facing issues with their ActionTec routers between October 25-27, 2023. They lost access to the Internet, and on checking, the router displayed a steady red light.

The company promptly replaced all the 600,000 affected routers, as the attack rendered them permanently inoperable.

During the investigation, this massive ActionTec router malfunction was attributed to an attack, codenamed The Pumpkin Eclipse, using Chalubo, a remote access trojan. According to the report,

This trojan, first identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.

While the researchers haven’t yet been able to identify the vulnerability exploited by threat actors to gain access, they suggest it was either the weak credentials or an exposed administrative interface. According to the researchers,

When searching for exploits impacting these models in OpenCVE for ActionTec, none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface.

Researchers, on inspection, discovered that the attack was well-executed, leaving no traces of the Chalubo on the infected ActionTec devices.

However, one mistake by the threat actors helped researchers identify that the attack was linked to the Chalubo trojan. The report says,

The only mistake we observed on the threat actor’s part was in using the exact same encryption key and nonce that was previously documented in the 2018 report. Another oddity stood out during analysis as we identified a handful of commands related to DDoS functions, however, when we saw infected machines receive commands to launch DDoS attacks, they did not use the embedded binaries’ functionality.

Researchers at BlackLotusLabs highlight how the attack on ActionTec routers was unique for two reasons. First, it was the sheer scale that necessitated the replacement of over 600,000 routers, especially when the attack didn’t appear to have links with state-backed entities.

Second, the attack was limited to a specific ASN (Autonomous System Number) and single ISP, which usually isn’t the case.

Another concerning aspect of the recent Chalubo attack is that most of the affected users were located in rural parts, making the recovery phase a lot more challenging. Besides, the outage led to thousands losing access to the Internet, including emergency services and critical data.

At present, there is rather limited information about the Chalubo attack on ActionTec. We hope to get more insights in the coming days as further research is carried out around the attack.

The whole episode begs the question, are we doing enough to stop AI from falling into the hands of threat actors? Because it is, undoubtedly, the ultimate tool for cyberattacks!

What actions do you think will reduce the likelihood of similar attacks in the future? Share with our readers in the comments section.

More about the topics: router, security threats, trojan