Hackers find NSA's exploits stolen useful again, dozens of compromises on thousands of routers – Gizmodo

Photo: AP

A Microsoft exploit released last year after being pinched by the National Security Agency has now been used by hackers to compromise more than 45,000 Internet routers, according to the researchers.

Akamai said in a blog post that tens of thousands of routers have been compromised by hackers who have targeted vulnerable implementations of Universal Plug and Play (UPnP), a widely used protocol that allows devices to automatically recognize each other through a local network.

Akamai reported that on a pool of 3.5 million devices, about 8% brought UPnP vulnerable.

"The victims of this attack will be at the mercy of the attackers, because they will have previously segmented machines on the Internet and will have no idea of ​​what is happening," the company said. "In addition, machines within the network that had a low priority when it came to patches became easy choices."

UPnP has a long experience of hacking, often exposing devices to the Internet that should only be visible locally. Akamai reported this summer that UPnP was used by hackers to hide traffic in an "organized and widespread abuse campaign".

The new attack, which exposes ports 139 and 445, makes use of EternalBlue, an exploit developed for the NSA, which was stolen and then released to the public by the hacker group Shadow Brokers. He later was a component of the WannaCry ransomware attack and the Wiper NotPetya attack, masked by ransomware (fakesomware?) But it was actually created to destroy the shit.

Two weeks ago, Ars Technica, who reported Akamai's research for the first time, described in detail how UPnP was used to create a 100,000-router botnet. Mass infection was discovered by Netlab 360.

Unfortunately, the researchers were not able to say exactly what is happening to those 45,000 infected routers. But a successful attack, according to the researchers, "could produce an environment full of goals, opening the possibility to things like ransomware attacks or a persistent point of support on the network."

Attackers can be avoided by keeping the router's firmware updated and turning off UPnP. Akamai also recommends buying a new router after the infection. But if you're cheap, simply disable UPnP on an already infected router may not work; perform a factory reset only for security.

[Ars Technica]



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.