Home Hacking News EternalSilence – New Variant Of UPnProxy Exploit Discovered Affecting 45,000 Routers

EternalSilence – New Variant Of UPnProxy Exploit Discovered Affecting 45,000 Routers

by Abeerah Hashim
EternalSilence - UPnProxy vulnerability variant

Earlier this year, Akamai researchers discovered a UPnProxy attack targeting thousands of routers. Now, after so many months, they have found a new variant of UPnProxy vulnerability, named EternalSilence. The researchers confirm that the new attack campaign has already compromised at least 45,000 routers in the wild. What’s different here is that the new attack method can also compromise the systems behind the targeted routers.

EternalSilence – A UPnProxy Attack Variant

Researchers at Akamai have discovered a new UPnProxy vulnerability that poses a security threat to thousands of routers and their corresponding systems. The same researchers have previously discovered the UPnProxy vulnerability that allowed potential attackers for malicious NAT injections. However, their recent discovery appears distinct in a way that it also allows attacking of systems behind the affected routers.

The attackers found this attack method while working on the original UPnProxy exploit. They eventually discovered a new sort of injection already compromising 45,113 routers. They have termed it “EternalSilence” after the attackers’ port mapping descriptions and considering its supposed link with the Eternal exploits family.

Explaining about the exploit, the researchers state,

“The new rulesets discovered by Akamai – affecting over 45,000 routers – all contain ‘galleta silenciosa’ or ‘silent cookie/cracker’ in Spanish. These sets of injections attempt to expose the TCP ports 139 and 445 on devices behind the router.”

According to the researchers, they could not identify the results or final payloads after these injections. Nonetheless, by logging the exposed IPs per compromised router, they confirm that at least 1.7 million machines are already exposed to the attackers. Although, they remain unsure if the attackers have actually compromised the exposed machines. Nonetheless, they fear that such an event would only worsen the situation.

Waging An Attack

Allegedly, to wage an attack, the attackers use two previously established exploits from the Eternal family. These include EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494, also known as the SambaCry). It means the devices vulnerable to these two exploits are even more prone to EternalSilence.

For now, Akamai couldn’t firmly conclude about the intention of the attackers. Yet, they have stated its a possibility.

“Recent scans suggest that these attackers are being opportunistic. One possibility is that they’re scanning the entire internet for SSDP and pivoting to the TCP UPnP daemons. Alternatively, based on scan results and banner grabs, they’re targeting a set of devices which utilize static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons. They’re doing this in order to blindly inject SMB port forwards.”

Supposedly, the attackers intend to identify the “previously inaccessible devices” by exploiting a combination of already established Eternal exploits.

What’s more problematic here is that detecting the presence of malicious NAT injections on affected routers is extremely difficult.

Possible Mitigations

According to the researchers,

“Victims of this attack will be at the mercy of the attackers, because they’ll have machines existing on the internet that were previously segmented, and they’ll have no idea this is happening. Moreover, machines within the network that had a low priority when it came to patches will become easy pickings.”

As possible mitigations, the researchers recommend buying routers with no UPnP vulnerabilities. Alternatively,  users may consider disabling UPnP for vulnerable devices. Moreover, to clear any possibly existing malicious NAT injections, rebooting the router, or restoring factory settings and then reconfiguring it with disabled UPnP might also help.

Besides, for machines already compromised with these attacks, the users may keep an eye for any “odd traffic on the LAN side”.

You may also like