Login

**Maxmars**

A newer criminal conspiracy mystery was inevitable.

Back in October, "some mysterious operator(s)" managed to reduce 600,000 routers being used by subscribers of the ISP known as Windstream to useless "bricks."

One day last October, subscribers to an ISP known as Windstream began flooding message boards with reports their routers had suddenly stopped working and remained unresponsive to reboots and all other attempts to revive them.

“The routers now just sit there with a steady red light on the front,” one user wrote, referring to the ActionTec T3200 router models Windstream provided to both them and a next door neighbor. “They won't even respond to a RESET.”

The author cites Black Lotus (formerly CenturyLink) a cyber security company, who has coined this event as "Pumpkin Eclipse." I suppose every such cyber attack needs a military- style mission name.

Reportedly users had made allegations...

... They said it was the result of the company pushing updates that poisoned the devices. Windstream’s Kinetic broadband service has about 1.6 million subscribers in 18 states, including Iowa, Alabama, Arkansas, Georgia, and Kentucky...

Now the kicker here is that not only do they have no idea WHY these routers were specifically targeted, they have NO CLUE as to who did it. As it unfolds the 'event' marks a terrible vulnerability to all of us lowly users who rely on the people we pay for services to use and maintain a system that is not going to be compromised... The ISP is not commenting, and the event will not be featured in the 11 o'clock news. But 600,000 'new' routers will be shipped...

Word of advice from the uneducated... make your ISP replace your router every if you discover it has been listed as vulnerable. Keep the firmware updated, and brace yourself because eventually someone will try to exploit its' weaknesses.

Oops! Edit to add forgotten source link from ArsTechnica: Mystery malware destroys 600,000 routers from a single ISP during 72-hour span

l0st

I suspect there are more exploits going on that haven't been announced yet. My ISP hands out modem/routers with the subscription. A couple weeks back my modem randomly dropped offline mid afternoon. I was pretty busy so I just tethered my phone and kept working. Later on, when I called in to troubleshoot, they spent virtually no time troubleshooting like they already knew there was a problem and pretty much immediately ordered a replacement. I was shocked because my experience with cable cos is that it's pretty much always an uphill battle.

My modem was rebooting repeatedly and not in the normal looking for signal way. It would get about 10 seconds into the process then immediately crash and reboot over and over. FWIW, my modem is "Hitech" branded, which is not one of the supposedly affected models.The tech on the phone didn't say anything, but it sounded like this was about the 8000th modem replacement he ordered that day.

At any rate, all I did was replace it and it was fixed, so no actual outage or service issue per se. It will be interesting to see if there is a new hack reported in the coming weeks.

Edit to add:
I used an older Arris I had laying around in the interim. No issues with it.

**Maxmars** · 06-05-2024, 05:37 PM

I would bet your suspicions are correct. There are many unpublished exploits out there, and some may be there on purpose.

Not to get "all conspiratorial" about it, but it could be the ISPs themselves...

I used to be inclined to believe that the brand of the device made a difference... but the parts they use largely come from the same manufacturers. Brand is no guarantee.

The exploit is in the design most times... but it can also be in the technical application itself.

Thousands at a time.... that makes me suspect something too.

l0st

(06-05-2024, 05:37 PM)Maxmars Wrote: I would bet your suspicions are correct. There are many unpublished exploits out there, and some may be there on purpose.

Not to get "all conspiratorial" about it, but it could be the ISPs themselves...

I used to be inclined to believe that the brand of the device made a difference... but the parts they use largely come from the same manufacturers. Brand is no guarantee.

The exploit is in the design most times... but it can also be in the technical application itself.

Thousands at a time.... that makes me suspect something too.

I don't know for sure that's what was going on but the tech pretty much guessed what the modem was doing so it seems they are aware of a problem. He was not able to see it online as it never synced to their network. I'm guessing either a compromise or they pushed bad firmware. They have the UI locked out so I couldn't check logs to see if there were any interesting clues in there.

I've always thought it a bit odd that the end user can more or less control the firmware on their home devices if they so desire, but firmware for cable modems has always been managed at the head end. Since these devices are based on an international standard(DOCSIS) one would think there should be no interoperability issues regardless of firmware version, so there should be no specific reason to restrict this capability to the ISP only.

At this stage of the game I wouldn't be at all surprised if the ISP has pushed a backdoor to these people's devices at the behest of the government. At least where the states are concerned, in my opinion we are no longer living under a constitutional republic. We seem to have entered an era where the corps are colluding with the government and people's legal rights as well as the law are simply ignored unless they have the dough to take the government or Corp to court.

OneStepBack · 06-06-2024, 04:22 AM

Home internet routers are very insecure. I am looking into using pfSense. It runs on Windows, Mac, Linux and BSD.

Quote:pfSense is a firewall/router computer software distribution based on FreeBSD. The open source pfSense Community Edition (CE) and pfSense Plus is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network.[sup][3][/sup] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.[sup][4][/sup][sup][5][/sup]

Wikipedia

pfSense website

You could stop your ISP updating firmware until you are sure its safe.

**Maxmars** · 06-06-2024, 11:33 AM

(06-06-2024, 04:22 AM)OneStepBack Wrote: Home internet routers are very insecure. I am looking into using pfSense. It runs on Windows, Mac, Linux and BSD.

Wikipedia

pfSense website

You could stop your ISP updating firmware until you are sure its safe.

I suspect (but I don't know for certain) that preventing your ISP from updating the firmware probably 'violates' your contractual 'agreement' with them as a service provider. Those agreements are usually why many people can't simply "buy the best router" and use it instead of the one they 'provide' you.

I like the idea of virtualizing the router, but I think in so far as 'security' it just opens up a whole new way to exploit the situation.

l0st · 06-06-2024, 02:10 PM

(06-06-2024, 04:22 AM)OneStepBack Wrote: Home internet routers are very insecure. I am looking into using pfSense. It runs on Windows, Mac, Linux and BSD.

Wikipedia

pfSense website

You could stop your ISP updating firmware until you are sure its safe.

Pfsense is good if you're into BSD. I never use the ISP Wifi router functionality, only as a modem. If you like pfsense you might also like OpenWRT which is Linux based and quite actively developing. Prior to that I ran LEDE and DD-WRT. I also had a homebrew Devian box running ages ago but it's a lot more maintenance that way.

It should be criminal for these cheap router companies to fail to release security patches.

VulcanWerks · 06-06-2024, 04:06 PM

I had an issue like this with my ISP.

My internet was very wonky and my router conked out on top of that.

ISP came out and wouldn’t really say much after inspection except “you have a lot going on with your system”, replaced the modem and left it at that.

Randomly, he asked me what I do for a living as he was leaving. Not in the course of a conversation just that one question and then he left. Very bizarre encounter all around.

l0st · 06-06-2024, 05:03 PM

(06-06-2024, 04:06 PM)VulcanWerks Wrote: I had an issue like this with my ISP.

My internet was very wonky and my router conked out on top of that.

ISP came out and wouldn’t really say much after inspection except “you have a lot going on with your system”, replaced the modem and left it at that.

Randomly, he asked me what I do for a living as he was leaving. Not in the course of a conversation just that one question and then he left. Very bizarre encounter all around.

Meh, you probably have a more extensive setup than most. Ages ago a friend of mine was a cable guy, had him stop by to check out some connectivity issues a couple times. He said "no wonder I had all kinds of problems" because their techs are simply not trained to deal with any of it beyond the cable connection to the modem/router. There was nothing wrong on my end per-se but the other techs simply didn't know what they were looking at, threw their hands in the air and left.

I have a Ubiquiti something or other I only use as a PoE switch for IP phones, 3 APs with mesh and roaming, openwrt router with fail over to tethering if the link goes out. Double screen monitor setup and multiple machines in one office with VMs and the whole bit. Yeah, "normies" don't have anything like this in their house. They have the single ISP router dangling by the cord behind their TV or something like that.

**Maxmars** · 06-06-2024, 10:26 PM

Looks like another website has picked up the topic...

From HITB.org: This malware botnet bricked over 600,000 routers in coordinated attack — but no one is really sure why

In the report, the researchers said that a piece of commodity remote access trojan (RAT) called Chalubo compromised hundreds of thousands of SOHO routers, consisting of three specific models: ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380, all belonging to the same ISP. Chalubo pulled these routers into the botnet which, among other things, was capable of running distributed denial of service (DDoS) attacks.

Then, between October 25 and 27, 2023, the routers started dying. While Black Lotus did not name the ISP being attacked, BleepingComputer said that the attack “bears a striking resemblance” to the Windstream outage, since its users started reporting dead routers on October 25.