Hackers Find Stolen US Government Exploit Useful Again, Compromise Tens of Thousands of Routers

By Dell Cameron on at

A Microsoft exploit made public last year after being pinched from the US National Security Agency has now been used by hackers to compromise more than 45,000 internet routers, according to researchers.

Cloud service provider and content delivery network Akamai said in a blog post Thursday that the tens of thousands of routers had been compromised by attackers targeting vulnerable implementations of Universal Plug and Play (UPnP), a widely used protocol that enables devices to automatically recognise each other across a local network.

Akamai reported that out of a pool of 3.5 million devices, around 8 per cent carried the vulnerable UPnP version.

“Victims of this attack will be at the mercy of the attackers, because they’ll have machines existing on the internet that were previously segmented, and they’ll have no idea this is happening,” the company said. “Moreover, machines within the network that had a low priority when it came to patches will become easy pickings.”

UPnP has a lengthy track record of being compromised by hackers, often by exposing devices to the internet that should only be visible locally. Akamai reported this summer that UPnP was being used by hackers to conceal traffic in an “organised and widespread abuse campaign.”

The new attack—which exposes ports 139 and 445—makes use of EternalBlue, an exploit developed for the NSA, which was stolen and then released to the public by the hacking group Shadow Brokers. It was later a component of the WannaCry ransomware attack and the NotPetya wiper attack, which masqueraded as ransomware (fakesomware?) but was really just created to destroy shit.

Two weeks ago, Ars Technica, which first reported on Akamai’s research, detailed how UPnP had been used to create a 100,000-router botnet. The mass infection was discovered by Netlab 360.

Unfortunately, the researchers were unable to tell what exactly is happening to those 45,000 infected routers. But a successful attack, researchers said, “could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Attackers can be warded off by keeping router firmware properly updated and by disabling UPnP. Akamai also recommends buying a new router post-infection. But if you’re cheap, merely disabling UPnP on a router already infected might not do the trick; perform a factory reset just to be safe. [Ars Technica]

Tags: