قالب وردپرس درنا توس
Home / Technology / Mass Routing Shack reveals millions of units for powerful NSA utilization

Mass Routing Shack reveals millions of units for powerful NSA utilization



  Mass Router hack reveals millions of devices to powerful NSA exploit

More than 45,000 Internet routers have been compromised by a recently discovered campaign designed to open networks for attacks by EternalBlue, the strong exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.

The new attack utilizes routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 1

39 and 445, the content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routes are available to the Internet on these ports. While internet scans do not reveal exactly what happens to the connected devices when they are exposed, Akamai said the ports – which are instrumental to the spread of EternalBlue and the Linux cousin EternalRed-give a strong hint of attackers intentions. 19659003] The attacks are a new instance of a mass exploitation of the same researchers as were documented in April. They called it UPnProxy because it utilizes Universal Plug and Play-often abbreviated UPnP-to turn vulnerable routers into proxies that hide the origin of spam, DDoSes and botnets. In Wednesday's blog posts, researchers wrote:

As regards current information and events, Akamai researchers believe that someone tries to compromise millions of machines living behind vulnerable routers by exploiting EternalBlue and EternalRed appointments.

Unfortunately, Akamai researchers are not able to see what happens after the injections have occurred, they can only see the injections themselves and not the final payloads that would be aimed at the machines exposed. A successful attack can, however, provide a targeted environment that opens the chance of such things as ransomware attacks, or a sustained foothold in the network.

Currently, 45,113 routers with confirmed injections reveal a total of 1.7 million unique machines for attackers. We have reached this conclusion by logging the number of unique IP addresses that are exposed per router and then uploading them. It is difficult to tell if these attempts led to a successful exposure as we do not know if a machine was assigned to the IP at the time of injection. Additionally, there is no way to tell if EternalBlue or EternalRed were used to compromise the exposed machine. But if only a fraction of the potentially vulnerable systems were successfully compromised and fallen into the hands of the attackers, the situation would quickly turn from bad to worse.

The new occurrence, which Akamai researchers have called EternalSilence, injects commands into vulnerable routers that open ports on connected devices. Legitimate injections often include a description like "Skype". EternalSilence injections use the description "Galleta Silenciosa" – "Silent Cookie / Cracker" in Spanish. Injections look like this:

  A sample of EternalSilence injections found on a single router. "Src =" https://cdn.arstechnica.net/wp-content/uploads/2018/11/eternalsilence-injections-640x366. png "width =" 640 "height =" 366 "srcset =" https://cdn.arstechnica.net/wp-content/uploads/2018/11/eternalsilence-injections.png 2x
Enlarge / A sample of EternalSilence injections found on a single router.

Akamai

A plague called UPnP

Wednesday's post is just the last part of current news that involves UPnP, a protocol designed to make it easy for connected devices to operate using code that lets them automatically detect each other and open ports needed to connect to the remote Internet . Two weeks ago, a separate team of researchers reported that the UPnP errors were exploited to spawn a 100,000 router botnet used to send spam and other malicious e-mail. Most if not all exploited vulnerabilities have been public knowledge since 2013, when an international Internet scan found 81 million IPv4 addresses answered standard UPnP discovery requests, although the standard should not communicate with devices outside a local area network.

EternalBlue is an attack developed and used by NSA utilizing server message block implementations in Vista and all later versions of Windows. In April 2017 a mysterious group called the Shadow Broker's attack code made available to the world as a whole. A month later EternalBlue was boarded into WannaCry, a rapid spread of the ransomware worm that lame hospitals, shipping companies and train stations around the world. A month later, a disc wiper NotPetya also used EternalBlue as a motor for self-replication extremely quickly.

While fixing for EternalBlue and EternalRed has been in place for more than a year, some organizations have not yet installed them. Missing patch does not automatically mean that a network is vulnerable. If the ports are sufficiently limited, exploits can not spread. Akamai researchers say the new attacks are probably an opportunistic attempt to open devices to attack they would otherwise be resistant to.

"The goal here is not a targeted attack," they wrote. "It's an attempt to exploit tried and true shelf exploits, throwing a wide web into a relatively small pond, hoping to create a pool of previously unavailable devices."

To prevent attacks, people should ensure that the routes are not exposed to UPnP attacks, either by purchasing new hardware or that the older device is running updated firmware. Once a router has been exploited by UPnProxy, devices should be restarted or, even better, reset to their original factory settings to ensure that port forwarding is cleared. People with compromised routers should also thoroughly inspect connected devices to ensure they have not been infected.


Source link