The actor took deliberate steps to cover their tracks by using commodity malware known as Chalubo, rather than a custom-developed toolkit. A feature built into Chalubo allowed the actor to execute custom Luascripts on the infected devices. The researchers believe the malware downloaded and ran code that permanently overwrote the router firmware.
So… not a “mystery.”
Proper headline:
“ Commodity malware known as Chalubo infected 600k routers from the ISP Windstream. “
It’s possible the “mystery” they refer to could be related to the identity of the hacker(s), how it got onto the routers in the first place, or the purpose for the attack
The second unique aspect is that this campaign was confined to a particular ASN. Most previous campaigns we’ve seen target a specific router model or common vulnerability and have effects across multiple providers’ networks. In this instance, we observed that both Sagemcom and ActionTec devices were impacted at the same time, both within the same provider’s network.This led us to assess it was not the result of a faulty firmware update by a single manufacturer, which would normally be confined to one device model or models from a given company.
Our analysis of the Censys data shows the impact was only for the two in question. This combination of factors led us to conclude the event was likely a deliberate action taken by an unattributed malicious cyber actor, even if we were not able to recover the destructive module.
“Mystery” is a term I’d use if there was no explanation for how something could have happened. They are pretty sure they know what and how. They just don’t have proof. Either way , I’ve already spent more time on this thread than it deserves. Take care.
You posses extremely niche knowledge. Being catty because the headline doesn’t suit your preferences comes off as fairly rude and pretentious. Good for you for understanding that the headline is misleading, but there are more relatable ways to say that.
Your reply reads to me as if you’re calling me disingenuous, which I can’t for the life of me understand. I’m not the author. I offered a possible explanation.
OpenWRT uses Lua for its web UI. The interpreter can be really small which works well for tiny embedded devices with mere megabytes of storage, and it’s much safer than writing a web GUI entirely in C.
“Mystery”
So… not a “mystery.”
Proper headline: “ Commodity malware known as Chalubo infected 600k routers from the ISP Windstream. “
It’s possible the “mystery” they refer to could be related to the identity of the hacker(s), how it got onto the routers in the first place, or the purpose for the attack
The headline reads: “Mystery malware … “
Not sure what you’re on about.
“Mystery” is a term I’d use if there was no explanation for how something could have happened. They are pretty sure they know what and how. They just don’t have proof. Either way , I’ve already spent more time on this thread than it deserves. Take care.
You posses extremely niche knowledge. Being catty because the headline doesn’t suit your preferences comes off as fairly rude and pretentious. Good for you for understanding that the headline is misleading, but there are more relatable ways to say that.
Basic reading comprehension shouldn’t be considered extremely niche knowledge
Ah so you’re just kind of rude, cool.
English aint Lojban, if you know what I mean.
“mystery malware”
The article clarifies the name of the malware.
Clickbait BS. Why are you being disingenuous?
Your reply reads to me as if you’re calling me disingenuous, which I can’t for the life of me understand. I’m not the author. I offered a possible explanation.
As someone who works with 100Gbps networking:
OpenWRT uses Lua for its web UI. The interpreter can be really small which works well for tiny embedded devices with mere megabytes of storage, and it’s much safer than writing a web GUI entirely in C.
Yeah I completely forgot about the consumer side of things. I was expecting there being Cisco iOS/FRR router configs, not a full web dashboard.
I imagine the malware binary includes a lua interpreter for executing scripts fetched from its command and control server.