A little over a year after the deployment of the to thwart the powerful exploits of the NSA that leaked online, Hundreds of thousands of computers remain uncorrected and vulnerable.
First, they were used to spread ransomware, then came cryptocurrency mining attacks.
Now Researchers Say Hackers (Or Crackers) Are Using Filtering Tools To Create An Even Larger Malicious Proxy Network. Therefore, hackers use NSA tools to hijack computers.
Recent discoveries
New discoveries by a security firm "Akamai" say that the UPnProxy vulnerability abuses the common Plug and Play universal network protocol.
And that you can now target the unpatched computers behind the router's firewall.
Attackers traditionally use UPnProxy to reassign port forwarding settings on an affected router.
Thus, they allowed obfuscation and malicious traffic routing. Therefore, this can be used to launch denial of service attacks or spread malware or spam.
In most cases, computers on the network are not affected because they were protected by the router's network address translation (NAT) rules.
But now, Akamai says that invaders use more powerful exploits to get through the router and infect individual computers on the network.
This gives the invaders a much greater number of devices that can be reached. Also, it makes the malicious network much stronger.
"While it is unfortunate to see attackers making use of UPnProxy and actively taking advantage of it to attack systems that were previously protected behind NAT, it will eventually happen," said Chad Seaman of Akamai, who wrote the report.
Attackers make use of two types of injection exploits:
Of which the first is EternalBlue, this is a back door developed by the National Security Agency to attack computers with Windows installed.
While in the case of Linux users there is an exploit called EternalRed, in which the attackers access independently through the Samba protocol.
About EternalRed
It is important to know that lSamba version 3.5.0 was vulnerable to this remote code execution flaw, allowing a malicious client to upload a shared library to a writable share, and then have the server load and run it.
An attacker can access a Linux machine and elevate privileges using a local vulnerability to gain root access and install a possible futur ransomwareor, similar to this WannaCry software replica for Linux.
Whereas UPnProxy modifies the port mapping on a vulnerable router. The everlasting family addresses the service ports used by SMB, a common network protocol used by most computers.
Together, Akamai calls the new attack "EternalSilence" dramatically expanding the spread of the proxy network for many more vulnerable devices.
Thousands of infected computers
Akamai says more than 45.000 devices are already under the control of the huge network. Potentially, this number can reach more than a million computers.
The goal here is not a targeted attack "but" It is an attempt to take advantage of proven exploits, launching a large network in a relatively small space, in the hope of picking up several previously inaccessible devices.
Unfortunately Eternal instructions are difficult to detect, making it difficult for administrators to know if they are infected.
That being said, the fixes for EternalRed and EternalBlue and were released just over a year ago, but millions of devices remain unpatched and vulnerable.
The number of vulnerable devices is decreasing. However, Seaman said that the new UPnProxy features "may be a last-ditch effort to use known exploits against a set of possibly uncorrected and previously inaccessible machines."