It’s been over a year since many of NSA’s exploits leaked online and as a result, over hundreds of thousands of computers remain unpatched and vulnerable to date. These exploits were initially used to spread ransomware and cryptocurrency mining attacks but now, it seems hackers are using the leaked tools to create an even larger malicious proxy network, reports TechCrunch.
Akamai, the American content delivery network, did some digging around and found that the previously reported UPnProxy vulnerability, which misuses the common Universal Plug and Play network protocol, is now capable of targeting unpatched computers behind the router’s firewall. “While it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually,” commented Akamai’s Chad Seaman, the author of the report.
The new injection attacks use two exploits: EternalBlue (for Windows computers) and EternalRed (for Linux machines), which are backdoors created by the NSA to target computers. While UPnProxy modified the port mapping on a router that was vulnerable, the two Eternal exploits target the service ports used by SMB, which is a common networking protocol used on most computers. Akamai calls the two exploits EternalSilence collectively.
“The goal here isn’t a targeted attack,” added Seaman. “It’s an attempt at leveraging tried and true off the shelf exploits, casting a wide net into a relatively small pond, in the hopes of scooping up a pool of previously inaccessible devices.” The problem is Eternal-based attacks are hard to detect. So it becomes difficult for administrators to even know if they’re attacked. Though fixes for the Eternal-based attacks have been around for a over a year, many computers remain unpatched and therefore, vulnerable. According to Seaman, flashing an affected network router and immediately disabling UPnProxy could solve the issue but completely replacing the router is always better.