Earlier this year, researchers from Akamai discovered attackers were abusing Universal Plug and Play (UPnP) vulnerabilities to conceal traffic. As a result, the actors created a malicious proxy system dubbed “UPnProxy.”
UPnProxy is a serious risk given attackers can route traffic at will and can be used in different types of attacks, such as DDoS, spam, phishing and click fraud.
Akamai security researchers now say that the UPnProxy is being used to compromise millions of systems behind vulnerable routers by using EternalBlue and EternalRed exploits.
“There are 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Of those, Akamai can confirm that more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign. These injections expose machines living behind the router to the Internet and appear to target the service ports used by SMB,” Akamai noted in recent research report.
Eternal Silence
Akamai described the new threat as “Eternal Silence”:
“On November 7, while working on a project related to the original UPnProxy discoveries, researchers at Akamai discovered a new family of injections, which they’ve dubbed Eternal Silence. The name EternalSilence comes from port mapping descriptions left by the attackers. In addition, these new attacks are believed to be leveraging the Eternal family of exploits.
“Normally, the NewPortMappingDescription field on the routers would state something like ‘Skype’ for legitimate injections, in UPnProxy campaigns this field is also attacker controlled. The new rulesets discovered by Akamai – affecting over 45,000 routers – all contain ‘galleta silenciosa’ or ‘silent cookie/cracker’ in Spanish. These sets of injections attempt to expose the TCP ports 139 and 445 on devices behind the router.”
The two vulnerabilities being exploited include EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494).
EternalBlue is the widely-known NSA exploit that was leaked by Shadow Brokers and impacts multiple versions of Windows (patched with MS17-010). Cyber criminals used the EternalBlue exploit code to launch cyber attacks to include WannaCry and NotPetya.
EternalRed targets Samba Linux-based systems and has ben used in crypto-mining campaigns, such as SambaCry.