More than 45,000 Internet routers have been compromised by a recently discovered campaign designed to open networks for attacks by EternalBlue, the strong exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.
The new attack utilizes routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 1
As regards current information and events, Akamai researchers believe that someone tries to compromise millions of machines living behind vulnerable routers by exploiting EternalBlue and EternalRed appointments.
Unfortunately, Akamai researchers are not able to see what happens after the injections have occurred, they can only see the injections themselves and not the final payloads that would be aimed at the machines exposed. A successful attack can, however, provide a targeted environment that opens the chance of such things as ransomware attacks, or a sustained foothold in the network.
Currently, 45,113 routers with confirmed injections reveal a total of 1.7 million unique machines for attackers. We have reached this conclusion by logging the number of unique IP addresses that are exposed per router and then uploading them. It is difficult to tell if these attempts led to a successful exposure as we do not know if a machine was assigned to the IP at the time of injection. Additionally, there is no way to tell if EternalBlue or EternalRed were used to compromise the exposed machine. But if only a fraction of the potentially vulnerable systems were successfully compromised and fallen into the hands of the attackers, the situation would quickly turn from bad to worse.
The new occurrence, which Akamai researchers have called EternalSilence, injects commands into vulnerable routers that open ports on connected devices. Legitimate injections often include a description like "Skype". EternalSilence injections use the description "Galleta Silenciosa" – "Silent Cookie / Cracker" in Spanish. Injections look like this:
A plague called UPnP
Wednesday's post is just the last part of current news that involves UPnP, a protocol designed to make it easy for connected devices to operate using code that lets them automatically detect each other and open ports needed to connect to the remote Internet . Two weeks ago, a separate team of researchers reported that the UPnP errors were exploited to spawn a 100,000 router botnet used to send spam and other malicious e-mail. Most if not all exploited vulnerabilities have been public knowledge since 2013, when an international Internet scan found 81 million IPv4 addresses answered standard UPnP discovery requests, although the standard should not communicate with devices outside a local area network.
EternalBlue is an attack developed and used by NSA utilizing server message block implementations in Vista and all later versions of Windows. In April 2017 a mysterious group called the Shadow Broker's attack code made available to the world as a whole. A month later EternalBlue was boarded into WannaCry, a rapid spread of the ransomware worm that lame hospitals, shipping companies and train stations around the world. A month later, a disc wiper NotPetya also used EternalBlue as a motor for self-replication extremely quickly.
While fixing for EternalBlue and EternalRed has been in place for more than a year, some organizations have not yet installed them. Missing patch does not automatically mean that a network is vulnerable. If the ports are sufficiently limited, exploits can not spread. Akamai researchers say the new attacks are probably an opportunistic attempt to open devices to attack they would otherwise be resistant to.
"The goal here is not a targeted attack," they wrote. "It's an attempt to exploit tried and true shelf exploits, throwing a wide web into a relatively small pond, hoping to create a pool of previously unavailable devices."
To prevent attacks, people should ensure that the routes are not exposed to UPnP attacks, either by purchasing new hardware or that the older device is running updated firmware. Once a router has been exploited by UPnProxy, devices should be restarted or, even better, reset to their original factory settings to ensure that port forwarding is cleared. People with compromised routers should also thoroughly inspect connected devices to ensure they have not been infected.