More than 45,000 Internet routers have been compromised by a newly discovered campaign, designed to open networks to attacks by EternalBlue, the powerful exploit developed by the National Security Agency, then stolen from the latter, and then filtered out over the Internet, have indicated researchers. Wednesday.
The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, the content delivery network Akamai said in a blog post. Thus, nearly 2 million computers, phones and other network devices connected to routers are accessible over the Internet via these ports. While internet analytics does not reveal exactly what happens when discovering connected devices, Akamai said that the ports, which are essential for the propagation of EternalBlue and its Linux cousin, EternalRed, give a good idea of what is going on. intentions of the attackers.
The attacks are a new example of mass exploitation by the same researchers as those documented in April. They called it UPnProxy because it exploits Universal Plug and Play, often abbreviated as UPnP, to turn vulnerable routers into proxy servers that hide the origins of spam, DDoS, and botnets. In Wednesday's blog, the researchers wrote:
Akamai researchers believe that, given current information and events, someone is attempting to compromise millions of machines installed behind vulnerable routers by exploiting the exploits of EternalBlue and EternalRed.
Unfortunately, Akamai researchers are not able to see what happens after the injections. They can only see the injections themselves and not the final payloads that would be directed to the machines on display. However, a successful attack could generate a target-rich environment, paving the way for attacks such as ransomware attacks or persistent network persistence.
Currently, the 45,113 confirmed injection routers expose a total of 1.7 million unique machines to attackers. We reached this conclusion by recording the number of unique IP addresses exposed per router and then adding them together. It is hard to say whether these attempts led to a successful exposure because we do not know if a machine received this IP address at the time of injection. In addition, there is no way to know if EternalBlue or EternalRed has been used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would worsen rapidly.
The new instance, dubbed EternalSilence by Akamai researchers, injects commands into vulnerable routers that open ports on connected devices. Legitimate injections often include a description such as "Skype". EternalSilence injections use the description "galleta silenciosa" – "silent cookie / biscuit" in Spanish. The injections look like this:
A plague called UPnP
Wednesday's release is just the latest information about UPnP, a protocol designed to make it easier for connected devices to work by using code that allows them to automatically discover themselves and open the ports they need to connect to the device. Internet outside. Two weeks ago, a separate team of researchers reported that UPnP vulnerabilities had been exploited to create a botnet of 100,000 routers used to send spam and other types of malicious email. Most exploited vulnerabilities, if not all, are common knowledge since 2013, the year when a compelling Internet scan revealed that 81 million IPv4 addresses were responding to standard UPnP discovery requests, even though this standard does not exist. is not supposed to communicate with devices located outside of a local area network. .
EternalBlue is an attack developed and used by the NSA that exploited the server's message block implementations in Vista and all later versions of Windows. In April 2017, a mysterious group calling themselves Shadow Brokers put the code of attack at the disposal of the whole world. A month later, EternalBlue was integrated with WannaCry, a rapidly spreading ransomware worm that paralyzed hospitals, transport companies and train stations around the world. A month later, a disk wiper called NotPetya also used EternalBlue as an engine for extremely fast replication.
Although the fixes for EternalBlue and EternalRed have been in place for more than a year, some organizations have not yet installed them. Not applying the fix does not automatically mean that a network is vulnerable. If the ports are small enough, exploits may not be able to propagate. Akamai researchers say the new attacks are probably an opportunistic attempt to open the devices to attacks to which they would otherwise be resistant.
"The goal here is not a targeted attack," they wrote. "It's about taking advantage of proven farms in the market, throwing a large net into a relatively small pond, hoping to bring together a set of previously inaccessible devices."
To prevent attacks, users must ensure that their routers are not vulnerable to UPnP attacks, either by purchasing new hardware or by ensuring that their old device uses updated firmware. Once a router has been operated by UPnProxy, devices must be rebooted or, better yet, reset to their original factory settings to ensure removal of port forwarding injections. People whose routers are compromised should also carefully inspect connected devices to make sure they have not been infected.