Mysterious Malware Attack Destroys 600 Routers On One ISP In 72 Hours
Last Halloween, thousands of users for U.S. broadband provider Windstream began complaining online about the fact that their routers simply stopped working. At the time, Windstream (one of the worst ranked ISPs in the country) sent users replacement routers, but couldn’t be bothered to transparently inform customers what was happening.
More than half a year later and Ars Technica points to a belated explanation of the incident by Lumen Technologies’ Black Lotus Labs. Dubbing it the “Pumpkin Eclipse,” security researchers found that over a 72-hour period beginning on October 25, malware infected more than 600,000 routers connected to a single autonomous system number (ASN) belonging to Windstream.
The culprit or motivation still haven’t been identified, but the researchers note the outage impacted the kind of folks who already tend to have substandard broadband access:
“Destructive attacks of this nature are highly concerning, especially so in this case. A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records. Needless to say, recovery from any supply chain disruption takes longer in isolated or vulnerable communities.”
The report doesn’t highlight this fact, but another recent report by the American Consumer Satisfaction Index found that Windstream has among the lowest customer satisfaction ratings of all U.S. broadband providers. Not only that, Windstream (which sees little competition and therefore little incentive to try) dropped 20% to 56, lower than nearly any company in any industry in America.
In other words, U.S. telecom monopolization and consolidation not only results in spotty coverage, slow speeds, terrible customer support, and high prices, it can help cultivate an additional security risk. The full Ars Technica analysis of the unique aspects of the attack are worth a read, though Windstream’s lack of meaningful transparency into the incident remains curiously under-stated.
It’s still not clear who launched the attack or what their motivation was (disgruntled employee? ransomware campaign? state-sponsored chaos agent?) and Windstream doesn’t seem interested in shedding any more light on the incident. In part because feckless regulatory oversight and muted competition doesn’t really give them any meaningful incentive to.
Filed Under: pumpkin eclipse, routers
Companies: windstream
Comments on “Mysterious Malware Attack Destroys 600 Routers On One ISP In 72 Hours”
Title correction: Mysterious Malware Attack Destroys 600,000 Routers On One ISP In 72 Hours
“We had a network intruder”
(Real reason: We were experimenting with off the shelf spyware so we can sell more personal data to companies and make more money off of you)
Here's a possible explanation
This is a theory based on observation, circumstantial evidence, and decades of Internet operational security experience.
I don’t think this attack was directed at Windstream’s customers: anyone who could do this could have done far more damaging things to them with little additional effort.
And I don’t think it was directed at users of that specific router – because end user router makes/models are scattered all over the Internet.
I think it was directed at Windstream themselves. Why? Lots of ISPs (e.g. Charter, Verizon, AT&T, Spectrum, Comcast, etc.) do a bad job of controlling outbound abuse and attacks from their network. But Windstream is markedly worse.
And I think someone had finally had enough of this nonsense.
Keep in mind that it is the responsibility of everyone who runs an Internet-connected system or network, no matter how tiny or enormous, to ensure that it’s not a source of abuse/attacks directed at everyone else. It’s always been. And people who choose not to do this leave their victims with two choices: (1) do nothing (2) do something.
So my hunch is that somebody chose (2). I don’t agree with what they did, but it’s not hard for me to imagine someone so frustrated and exasperated with Windstream’s incompetence and laziness that they thought it was a good idea. And I further think that the reason Windstream isn’t being transparent about this is that they know this, and they don’t want to face uncomfortable questions about why they’re so miserably bad at running a network.
Re:
My mental drift net isn’t giving me more detail, but as I remember Windstream was involved in many of the copyright troll cases.
I could imagine a scenario where the cheap routers were allowing for people to face allegations because their system is so crappy it was IDing the wrong people & someone finally got fed up with a relative being accused wrongly.
Mind you this is all conjecture because my brain won’t recall much more about Windstream.
Re:
This is my way of thinking as well.
Trick was the target, customers were given an umbrella.
Makes me wonder if someone was doing something like
https://samcurry.net/hacking-millions-of-modems
but picked the wrong malware, and/or failed to be targeted.
Of course, they could have also wanted to brick a lot of devices but couldn’t carry it out elsewhere. Or sure, they could just be pissed at Windstream… or all of its customers?
If these rural customers voted for Republicans, they voted for “feckless regulatory oversight and muted competition”. The real, root cause is decades of billionaire propaganda that they should be allowed to do whatever they want and making people more scared of “government overreach” than unaccountable corporations, coupled with taking advantage of the ignorance, prejudice, isolation, and disconnection of rural areas.
Worse than Comcast?! No way!
I have an opinion...
And so I think I opined on Masto.
I work in InfoSec (Gray shade of blue) which is less important in this context than I’m also a Disgruntled US Broadband Customer (aren’t we all).
I Swear this Feels like a Red Hit from a brother/sister/&c. that was just really finally pissed off.
I submit:
* Super bad ISP.
* Old/Janky routers, zero shits given by ISP. Assume default ACLs or known keys, ad nauseam, and zero updates. The usual.
* $Entity moves to region. Connection sucks, they explore and are horrified. <= Here’s your OhDay.
* They raise concerns, rebuffed.
* $Entity stews a few days, decided “Responsible Disclosure” is a suckers game (see, Bad ISP)
* Weaponize, Deploy.
Goals achieved:
* Force Massive hardware updates for All Customers by Burning the routers? Not hijacking them for a bot net? That’s… curious.
* On the TelCo dime (this would be a huge entertainment bonus and righteous hit).
* And bring Media Attention to the Problem (Point and match).
This was “Team Member” that someone at the ISP Really pissed off.
Finally, I submit that no Actor has claimed credit.
This was a surgical strike, it was Flawless (gleeee), it was a Hyper Irritated InfoSec (capable) Geek that had really just had it that day and threw a punch.
Worked.
This gives me Joy.
Can’t prove it, giving me more joy.
I know windstream gets shit on alot, but I have their FTTH kinetic at my place in the burbs of pittsburgh (35min from downtown), 500mb sync for 75/mo, and I see 800mb speeds regularly. Rare for an outage also. I opted to not use their rental router, and run my own mikrotik box. I dont recall any outages around last halloween.
Re:
You’re using your own box. Which can’t be accessed by ISP admin software.