Saturday, July 20, 2024
EHA

UPnProxy – A Dubbed NSA Hacking Tool of EternalSilence Vulnerable to Attack 277,000 UPnP Enabled Routers

New research reveals that  Universal Plug and Play (UPnP) implemented 277,000 Connected Devices are vulnerable to malicious proxy system UPnProxy , a dubbed EternalSilence NSA hacking tool arsenal.

UPnP is a feature that allows the devices on your network to discover each other and allow to access certain services. Often, this is used for streaming media between devices on a network.

Currently, a pool of 3.5 million connected devices are using UPnP and among these devices, more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign.

Attackers abusing the UPnP system and creating a malicious proxy system called UPnProxy that helps attacker s to reroute the original traffic landing into malicious services such as spam, phishing, click fraud, and DDoS.

It mainly affected the home routers that leads to infect with malware, ransomware and others infections.

Malicious UPnProxy initially discovered by researchers at Akamai and they have dubbed Eternal Silence which is derived from port mapping descriptions and the researchers believed that it leveraging the exploits from NSA Eternal family.

According to Akamai, Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We’ve reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don’t know if a machine was assigned that IP at the time of the injection.

Attack Process

Attack leveraging NSA’s Eternal family of exploits using this EternalSilence campaign which is confirmed by an observation of millions of successful injections attempting in order to expose the millions of SMB running services.

In this case, 2 powerful NSA exploits, EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) used by attackers and utilize the static ports (TCP/2048) in order to inject SMB port forwards.

Researchers said, “This is only possible because there are millions (3.5 million) of vulnerable routers on the internet, and plenty of them (277,000) are running vulnerable implementations of UPnP that expose themselves and their IGD (Internet Gateway Device) controls on the WAN/Internet side of the router – something we addressed in our previous research.”

A larger sample of EternalSilence injections found on a single router

Also, there will not be any administrative visibility of an injected router since its difficult to detect the malicious NAT injections.

The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it’s NAT table entries, Researchers said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles