Hackers find the exploit of the NSA stolen useful again, compromising tens of thousands of routers



[ad_1]

Photo: AP

A Microsoft exploit made public last year after being removed from the National Security Agency has been used by hackers to compromise more than 45,000 Internet routers, according to researchers.

A cloud service provider and a content delivery network, Akamai, said in a blog Thursday that tens of thousands of routers had been compromised by attackers targeting vulnerable implementations of UPnP (Universal Plug and Play), a widely used protocol allowing devices to recognize themselves automatically through a local network.

Akamai said that out of a pool of 3.5 million devices, about 8% were using the vulnerable version of UPnP.

"The victims of this attack will be at the mercy of the attackers because they would already have machines segmented on the Internet and would have no idea what was going on," the company said. "In addition, network machines that had low patency priority will become easy choices."

UPnP has a long history of hackers, often exposing devices to the Internet that should only be visible locally. Akamai reported this summer that hackers were using the UPnP to conceal the traffic as part of an "organized and widespread abuse campaign".

The new attack (exposing ports 139 and 445) uses EternalBlue, a feat developed for the NSA, which was stolen and made public by the pirate group Shadow Brokers. This was later a component of the WannaCry ransomware attack and the NotPetya wiper attack, which came under the name of ransomware (fakesomware?) But that came just just to be created to destroy shit.

Two weeks ago, Ars Technica, who for the first time reported on Akamai's research, explained how UPnP had been used to create a 100,000-router botnet. The mbad infection was discovered by Netlab 360.

Unfortunately, the researchers were unable to say exactly what happened to these 45,000 infected routers. But a successful attack, researchers said, "could create a rich and targeted environment, paving the way for ransomware attacks or a persistent presence on the network."

Attackers can be discarded by keeping the firmware of the router properly updated and disabling UPnP. Akamai also recommends buying a new router after an infection. But if you're not expensive, simply disabling UPnP on an already infected router may not be enough; perform a factory reset for added security.

[Ars Technica]
[ad_2]
Source link