Posted on November 30, 2018 at 12:01 PM
Hackers Use Old NSA Exploit to Attack Millions of Devices
A recent announcement by cybersecurity researcher, published Wednesday, claims that a new hacking attack has already had over 45,000 internet routers compromised. The attack used against these devices is called EternalBlue. It was originally created by the NSA (National Security Agency) but was then stolen from it. Now, there is a campaign hat is opening networks to this attack.
The attack uses old vulnerabilities to penetrate routers’ defenses. Those routers that have vulnerable implementations of Universal Plug and Play can be forced to open two ports — 139 and 445. By doing so, attackers are getting access not only to hacked routers but also to millions of other devices that are connected to them.
For now, it is still unclear what happens to exposed devices. However, according to Akamai’s blog post, ports are providing a strong hint regarding what the attackers want. So far, it was concluded that the attacks are only a new instance of the same mass exploit that was previously observed and documented back in April of this year.
Back then, researchers named it UPnProxy, due to its exploit of Universal Plug and Play (UPnP). The “proxy” in UPnProxy comes from the fact that vulnerable routers are used as proxies that mask the origins of botnets, spam, and DDoS attacks.
Akamai researchers have also deduced that there is a new instance, one which they named EternalSilence. According to their report, EternalSilence injects additional commands into routers that feature previously mentioned vulnerability. These injections were observed to have descriptions such as “Skype”.
The exploit misuse continues
This report is only the last one when it comes to UPnP-related news. This is a protocol that was created in order to easily connect devices, and help them discover each other, as well as open ports when there is a real need to reach the internet.
Initial reports that indicated that something is wrong started arriving around two weeks before when a separate research team uncovered that UPnP vulnerabilities were being exploited. As a result, around 100,000-router botnet was uncovered. The botnet was used for spamming emails with malicious elements.
Most of these vulnerabilities, and possibly all of them, have been known to the public for around 5 years now, initially being discovered in 2013. This was when one internet scan discovered that around 81M IPv4 addresses respond to regular UPnP discovery requests. This was despite the fact that the standard is not supposed to enter communication with devices that do not belong to a local network.
There is also an issue of EternalBlue, an attack created by the NSA. It was stolen in April 2017 by a group of hackers named Shadow Brokers. Only one month later, the attack was found to be a part of a WannaCry ransomware which infected computers all around the world within a single weekend. This attack hit hospitals, train stations, shipping firms, and more. It was also just a start, as only one month later, a disk-wiper going by the name NotPetya also used EternalBlue for conducting its own attacks.
Of course, there are fixes for things such as EternalBlue or EternalRed. However, not everyone has implemented them. This has left many networks vulnerable, although not all of them. Not implementing the patch doesn’t necessarily mean that the network is vulnerable by default. But, in order to be properly protected, it needs to have adequately restricted ports, so that exploits cannot spread.
Akamai researchers believe that the reason why these attacks are happening right now is an attempt to get to devices that are otherwise too well-protected. In other words, there is no specific target that researchers have managed to confirm. Attackers are simply trying to access different networks, hoping that some of them will provide them with an easy way in. This can be prevented by buying new hardware and ensuring that old devices are properly updated. If a router is already infected, it should be rebooted, or reset to factory settings in order to clear port forwarding injections.