Hackers Compromised SOHO 600,000 Routers Within 72 Hours For Botnet

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Hackers often target the routers to take charge of network traffic, get hold of sensitive data, and attack attached devices.

When a router is hacked, it can create a botnet for major cyber-attacks or send users to harmful websites while continuing its evil work and increasing its coverage.

Cybersecurity researchers at Lumen Technologies’ Black Lotus Labs recently identified that hackers have compromised over 600,000 SOHO routers within 72 hours for botnet.

600,000 SOHO Routers Attacked

In October 2023, Lumen Technologies discovered a destructive attack that made 600,000 SOHO routers belonging to one ISP useless in 72 hours using the Chalubo remote access trojan. 

The malware used obfuscation techniques and multiple steps infected via firmware updates to ensure a permanent denial of service for rural areas and those with less access to internet facilities.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

It is believed that the attack intentionally targeted the ISP and may not have originated from any known nation-state actors’ operations, consequently raising concerns about an increase in such cyber-attacks having severe consequences over critical infrastructures.

Logical Infection process (Source – Lumen)

The next stage of Chalubo presented a more sophisticated tradecraft, which removed files from the disk, renamed processes, utilized encrypted communications, employed delays to evade sandboxes, and enabled running arbitrary Lua scripts– most likely the channel for getting the destructive payload back.

Monitoring showed that it had DDoS functionality, which was not utilized, consequently indicating a lack of coordination between developers and operators.

For a piece of commodity malware, its infection mechanism across MIPS, ARM, and PowerPC architectures was surprisingly advanced, a fact that probably explains why it took so long for the attackers’ network router attacks to happen.

Chalubo samples collected in October 2023 were analyzed. They showed signs of key reuse and the absence of persistence mechanisms, implying that the Lua scripting engine might have been employed to fetch the destructive payload programmed to attack the ISP’s routers. 

DDoS existed, but operators never utilized it. International telemetry depicted the Chalubo botnet’s global scope, where one command-and-control (C&C) panel could manage over a hundred thousand bots within a month.

In spite of this, separate settings for the segregated infrastructure and brief links of many bots suggest that these are not backup systems but rather indicate siloed operations.

Global heat map showing the distribution of bots by distinct IP addresses (Source – Lumen)

The investigations revealed that Chalubo was a malware that facilitated, but not all its infections resulted in destructive payloads.

This deliberate act, unprecedented in scale, bricked over 600,000 from one ISP via suspected firmware corruption, unlike previous nation-state campaigns, which targeted vulnerabilities across providers.

The unidentified threat actor had no overlaps with any known clusters and confined the destruction to one autonomous system.

Recommendations

Here below we have mentioned all the recommendations:-

For Organizations:

  • Avoid common default passwords.
  • Secure management interfaces, and keep them inaccessible from the internet.
  • Refer to DHS’ CISA BoD 23-02 for detailed guidance.

For Consumers:

  • Regularly reboot routers.
  • Install security updates and patches.
  • Follow the Canadian Centre for Cybersecurity’s “best practices” document.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.