Cybercriminals can do lasting damage to internet routers protected by weak credentials by exploiting the right remote access features. Black Lotus researchers discovered one such "destructive" event last October that bricked hundreds of thousands of routers.
Analysts at Black Lotus Labs dubbed the cyber-incident the "Pumpkin Eclipse," as it was felt across several Midwest states by the end of October last year. Between October 25 and 27, over 600,000 small office/home office (SOHO) routers were taken offline, unable to access the internet.
The unnamed criminals targeted two router models manufactured by ActionTec (T3200, T3260), but the method used to access those devices is still unknown. The hackers didn't use exploits or zero-day vulnerabilities, which suggests they used brute force to attack weak authentication credentials or may have entered through an exposed administrative interface.
Once in, the cyber-criminals used a well-known remote access trojan (RAT) named Chalubo to download and install malicious firmware on the compromised routers. The firmware rendered the SOHO devices "permanently inoperable," forcing the ISP to replace them to restore internet connectivity. Security researchers have known about the Chalubo RAT since 2018. The malware has advanced features such as encrypted communications, DDoS capabilities, and custom Lua script execution.