Sign in / up

back to article Mystery miscreant remotely bricked 600,000 SOHO routers with malicious firmware update

Unknown miscreants broke into more than 600,000 routers belonging to a single ISP late last year and deployed malware on the devices before totally disabling them, according to security researchers. The cyber attack, which wasn't reported at the time, took place over a 72-hour period between October 25 and 27, 2023. It " …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Joe W Silver badge

    unhappy security researcher?

    OK, here's my theory hypothesis idea:

    A security researcher (let's call them "Sam") found a vulnerability that they reported to the ISP or the router manufacturer. Those did not respond, or probably told Sam to just f* off.

    Sam was displeased, and wanted to protect the customers of the ISP from their home networks being broken into. By disabling the routers the ISP at least had to spring for new ones.

    I support those activities, also because my soon-to-be-ex-ISP has a stupid unreliable router and basically no customer support. F' them.

    29 2 Reply
    1. Anonymous Anti-ANC South African Coward Silver badge
      Reply Icon

      Re: unhappy security researcher?

      I tend to concur with this idea.

      The RAT was first installed to enable the loading of the payload used to brick the routers. Most devices do checking on firmware upgrades to make sure it is the correct firmware upgrade, and the RAT simply disabled that specific function (or overruled it).

      This is what any good BOFH will do with any unauthorized device on his LAN. Simply brick it without warning. Muhuhahaha.

      11 2 Reply
      1. Lurko
        Reply Icon

        Re: unhappy security researcher?

        Another theory might be the direct or indirect actions of an aggrieved party who lost out in the Windstream bankruptcy. Although Windstream went bust back in 2020, it was last last year that the dust finally settled and the company exited from its Chapter 11 purgatory. There was $4bn in debt written off through Chapter 11, and whilst most would be institutional, it's a certainty that some employees, contractors and suppliers lost out.

        12 0 Reply
        1. Doctor Syntax Silver badge
          Reply Icon

          Re: unhappy security researcher?

          This sounds more convincing. Only one ISP's network affected. An ISP that has financially burned a number of people, probably some with sufficient technical nous to pull this one off.

          3 0 Reply
    2. Alan Brown Silver badge
      Reply Icon

      Re: unhappy security researcher?

      Or someone was aiming to hurt a particular telco for commercial advantage

      Who's the competition in the area

      1 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: unhappy security researcher?

        Or unhappy ex-staffer

        5 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: unhappy security researcher?

      I know for a fact that CenturyLink has the remote administration port on their modem/routers exposed to the internet; I confirmed this myself with an external port scan. They're ActionTec devices. I tried reporting this as a vulnerability, but their tech "support" heard "port" and all they know about is port forwarding. They couldn't understand that this involved a port that wasn't related to port forwarding.

      I *think* I managed to mess up the settings enough to make it impossible for them to log into the modem/router and reconfigure it. But I ditched them as my ISP almost 2 years ago and haven't powered up the modem/router since; I definitely wasn't behind this attack!

      4 0 Reply
  2. David Newall

    Rewritten firmware

    I noticed a graph in the report showing 250000 increase in other when Sagemcom dropped by 600000. Seems possible to me that a large number of victims have no idea.

    1 0 Reply
  3. Richard 12 Silver badge
    Facepalm

    Attack gone wrong?

    Surely the most probable reason is that they were trying to take them over but didn't test it properly before shipping.

    It seems odd to assume malware is perfect.

    26 0 Reply
    1. Blazde Silver badge
      Reply Icon

      Re: Attack gone wrong?

      Yup. They're not even sure there was a firmware update, so I don't see how they can divine the motive and have "high confidence that the malicious firmware update was a deliberate act intended to cause an outage".

      The ISP is apparently not talking, so there're even less malicious scenarios like: "ISP decided to replace old routers rather than talk customers through a complex disinfection". A crap router is what $20? to an ISP, and that's maybe 20 minutes of typical call centre cost, and more importantly they don't have call centre capacity to service 600k customers quickly anyway. Or "Manufacturer deployed firmware in response to the original attack and that bricked the routers"? There are numerous possibilities.

      2 0 Reply
  4. Anonymous Coward
    Terminator

    Remote control router ..

    Most ISPs have remote access to your router, which is why I replaced the default image with my own.

    7 0 Reply
    1. Doctor Syntax Silver badge
      Reply Icon

      Re: Remote control router ..

      I replaced the default router with my own.

      7 0 Reply
  5. sitta_europea Silver badge

    "It's been speculated that Arkansas-based Windstream was the victim ..."

    Six hundred thousand routers get bricked and we're SPECULATING who supplied them?

    "... the ISP declined to comment when approached by The Register."

    Well if it was me and my business, and it wasn't me, I'd say "It wasn't me". So I guess that's pretty conclusive.

    20 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    Lots of questions, notably.......

    ......were all 600,000 customer routers hacked from a central point? Say (unknowingly) by a hack on the ISP?

    ......or did the bad guys just build a (big) list using Shodan?

    ......or, more worrying yet, maybe nobody knows how it was done!!!

    1 0 Reply
    1. irrelevant
      Reply Icon

      Re: Lots of questions, notably.......

      Probably pretty easy to just iterate over the various IP ranges allocated to the ISP, see what responds to your attack.

      5 0 Reply
      1. Anonymous Coward
        Reply Icon
        Joke

        Re: Lots of questions, notably.......

        > Probably pretty easy to just iterate over the various IP ranges allocated to the ISP, see what responds to your attack.

        Using that commie open-source hacking tool known as NMAP.

        1 0 Reply
        1. MonkeyJuice Bronze badge
          Reply Icon

          Re: Lots of questions, notably.......

          Steady there, Neo.

          0 0 Reply
  7. Rich 2 Silver badge

    The answer is obvious

    Keep your router disconnected from the internet. That’ll stop ‘em infecting it!!

    18 0 Reply
    1. Throatwarbler Mangrove Silver badge
      Reply Icon
      Thumb Up

      Re: The answer is obvious

      This is not the worst idea. One way to reduce the attack opportunity on a router would be to have it sleep or disable the WAN uplink port when not in use by internal devices (or according to schedule or whatever). Doing so would create the possibility that the router would simply be unavailable to an attacker when an attack was attempted.

      1 0 Reply
      1. I could be a dog really Silver badge
        Reply Icon

        Re: The answer is obvious

        These days, not all that many people would benefit from that.

        First, lets ignore people like myself that run our own servers and hence need inbound traffic to work.

        Now, of those left, how many have zero devices that will keep the connection up ? Devices such as Alexa - that's going to be a lot. "Smart "TVs - another large chunk. Home automation stuff like Ring or Nest - another big chunk. All these will be quite chatty with their cloud servers in order to work, so would keep your internet up more or less all the time. I think the days of only connecting when YOU are using the internet are long gone for most homes.

        Also, consider that many service providers (or the underlying technology provider such as BT OpenReach here in the UK) will see a router go offline and assume it's a line problem. On xDSL lines from OpenRetch, if you keep turning the router off then their systems will assume a line problem and dial down the speed (use less bits/bin, maybe drop the higher frequency bins altogether, in an attempt to make your line more stable - and so your line speed will drop.

        10 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The answer is obvious

        I used to work for an electronocs manufacturer. We had a customer come to us to help develop a product that would physically power down a SOHO router for exactly the purpose you described.

        His design used a cheap smartphone from China* as the controller. You'd have both a WiFi and cellular connection on the phone so that you could manage your "security" locally or remotely.

        The other thing is, with how efficient botnets are at spreading malware, a few hours offline isn't much of a defence.

        *Now I'm not trying to say that all tech from China is suspect, but a $20 smartphone from an unknown manufacturer in China is a few more degrees of suspicious than say a Lenovo laptop.

        6 0 Reply
        1. Roland6 Silver badge
          Reply Icon

          Re: The answer is obvious

          > but a $20 smartphone from an unknown manufacturer in China is a few more degrees of suspicious than say a Lenovo laptop.

          But for a SOHO router, the final product is going to have to be sub $100 retail and fit into a small case, potentially achievable with a $20 compute platform, but not with a laptop.

          The interesting aspect to the $20 phone would be that it was probably not running Google Play Store Android, and may actually be unlocked, enabling the installation of your own OS…

          0 0 Reply
  8. StrangerHereMyself Silver badge

    Damage

    600.000 routers having been bricked means about $60 million in damages, maybe less? I doubt most ISP's will lose much sleep over this. They'll replace the routers and move on with their day to day business.

    3 0 Reply
    1. I could be a dog really Silver badge
      Reply Icon

      Re: Damage

      Pop new ones in the post, apologise to the customer (note the singular) that their router has suffered an isolated failure (no other users were affected), and point out that the new router is better and more modern so you are benefitting from their generosity. Isn't that how to spin it !

      9 0 Reply
    2. NickHolland
      Reply Icon

      Re: Damage

      except...how many ISPs keep $60 million routers sitting on the shelf ready for swap-out? Or the staff to distribute that many quickly?

      I'm still trying to figure out how 600,000 people fell off the Internet and no one noticed.

      8 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Damage

        ISPs are not monitoring for your uptime. If there is a problem you have to inform them.

        An ISP bricking a device is not unheard of and is likely much more common than we know.

        3 0 Reply
        1. Doctor Syntax Silver badge
          Reply Icon

          Re: Damage

          "An ISP bricking a device is not unheard of and is likely much more common than we know."

          Mine partially bricked their router for me by disabling the administrative login from the LAN side. As I had allocated pert of the DNS range for fixed IP/MAC mapping I discovered that the hard way - I couldn't revise or extend it for replaced devices.

          Replaced it because, apart from anything else, leaving an admin port open exposed it those even less trustworthy then the ISP who did this.

          3 0 Reply
      2. Paul Crawford Silver badge
        Reply Icon
        Trollface

        Re: Damage

        I'm still trying to figure out how 600,000 people fell off the Internet and no one noticed.

        Oh I am sure PornHub noticed :)

        5 0 Reply
  9. Postscript

    update?

    Are we sure it wasn't just a botched firmware update from the vendor? "Hackers did it!"

    9 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like