"EternalSilence": Leaked NSA Tools Being Used By Hackers To Target Networks

It was in 2017 that The National Security Agency (NSA) hacking tool was leaked online. But the aftermath is far from over.

After the patches were released to thwart NSA' exploits, hundreds of thousands of computers were left unpatched and still vulnerable.

What makes things even worse is that hackers are using the tool to create more advanced and effective attack methods, which could lead to hackers taking over the targeted system entirely.

A security report titled UPNPROXY: ETERNALSILENCE from Akamai detailed a malware campaign that alters configurations on home and small office routers, which opens connections toward internal networks so hackers can infect previously isolated computer systems.

They can achieve this, according to Akamai, by a technique known as UPnProxy, which relies on exploiting vulnerabilities in the common Universal Plug and Play network protocol (UPnP services) installed on some routers to alter the device's NAT (Network Address Translation) tables.

NAT tables here are the rules that control how IPs and ports from the router's internal network are mapped onto a superior network - usually the internet.

Read: Akamai's white paper titled "UPnProxy: Blackhat Proxies via NAT Injections" (PDF)

Back in April, hackers were using this particular technique to convert routers into proxies for regular web traffic. This allowed the obfuscation and routing of malicious traffic, which can then be used to launch distributed denial-of-service attacks (DDoS) or spread malware or spam.

But that changed as a tweaked variation of the UPnProxy is leveraging UPnP services to insert special rules into routers NAT tables.

While the rules still work as a proxy redirections, but instead of relaying web traffic, they also allow hackers to connect to the SMB ports (139, 445) of devices and computers inside the router's network.

According to Akamai, 277,000 routers with vulnerable UPnP services are online, and 45,113 have already been attacked by this campaign. Akamai also said that it detected "millions of successful injections" during which the hackers connected themselves through these ports to devices beyond the routers.

"While it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually," said Akamai’s Chad Seaman, who wrote the report.

EternalSilence
A larger sample of EternalSilence injections found on a single router

While Akamai can't really tell how hackers can achieve this, but the company is quite sure that the "injections" have something to do with EternalBlue, one of the pieces of malware originally developed by the NSA, which was also the source behind the WannaCry and the NotPetya ransomware outbreaks.

And its sibling exploit called EternalRed, which was used to backdoor Linux devices, found independently by Samba.

Akamai refers to this particular router hacking campaign as "EternalSilence", a name derived from the use of the EternalBlue exploits and Silent Cookie, the name of the malicious NAT table entries.

“The goal here isn’t a targeted attack,” said Seaman. “It’s an attempt at leveraging tried and true off the shelf exploits, casting a wide net into a relatively small pond, in the hopes of scooping up a pool of previously inaccessible devices.”

Those who don't want to experience these kind of attacks, are advised to disable the UPnP service on their routers.

But this is not a complete solution to fixing the problem, as Seaman explained that it’s “the equivalent of plugging the hole in the boat, but it does nothing to address the water that has made it into your sinking ship.”

Flashing an affected router and disabling UPnP may remediate the issue, but it's wiser to have that router "completely replaced” with a new and more modern one which doesn't use a vulnerable UPnP implementation.

Published: 
29/11/2018