Researchers talk about the Eternal Silence malware attack that uses Universal Plug and Play (UPnP) to turn routers into a proxy server used to launch various attacks and hide the location of intruders.
Akamai explains that UPnP is another technology that offers convenience at the expense of security, especially if the UPnP implementation is potentially vulnerable to attacks in which hackers can add UPnP port forwarding entries over an open WAN connection.
Analysts have discovered hackers using this vulnerability to create proxy servers and call the attack UPnProxy.
According to the report, attackers are trying to exploit the EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) issues on unprotected Windows and Linux systems. Exploiting these bugs can lead to a range of problems, including infection with mining malware, devastating worm attacks that quickly spread to entire networks, or give hackers access to corporate networks.
The new rules being created by the hackers contain the phrase “galleta silenciosa”, which means “silent cookies” in Spanish. Such injections try to expose TCP ports 139 and 445 on devices connected to the router (approximately 1,700,000 machines running SMB).
{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "192.168.10.212", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"}
The researchers note that it is too early to judge the success of this campaign, but hackers are clearly demonstrating a systematic approach to scanning and are looking for devices that use static ports and paths for their UPnP daemons.
According to experts, Eternal Silence is a very insidious attack that makes network segmentation ineffective and does not make it clear what is happening to the victim.
Essentially, the best way to determine if devices have been compromised is to scan all endpoints and check entries in the NAT table. Akamai has published a special bash script for this purpose.
Let me remind you that we also reported that KCodes NetUSB problem threatens many home routers, and also that Researchers found 226 vulnerabilities in popular router models.
