Mass Router Hack Exposes Millions of Devices To Potent NSA Exploit

More than 45,000 Internet routers have been compromised by a newly discovered campaign that's designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers say. From a report: The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don't reveal precisely what happens to the connected devices once they're exposed, Akamai said the ports --which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed -- provide a strong hint of the attackers' intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play -- often abbreviated as UPnP -- to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets.

Who has power

[Anonymous Coward]

I'm not an American but I thought in a democracy everyone can vote to just abolish the NSA, for example. With how shitty the NSA has been the last two decades, what's the deal on that?

Re:

[Anonymous Coward]

It's supposed to be a representative democracy. We elect the people (congress) that have the power to abolish the NSA. Once they get elected, they no longer have the desire to abolish the NSA... hmmm...

Re:

[pgmrdlm]

Why would I want to abolish an agency that is part of my national defense. And able to intercept attacks before they happen by monitoring communications? Look at any war that has occurred. Interception of communications has always been a national defense strategy by all nations?

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Who has power

[Anonymous Coward]

And yet all our neighbors have routers that are now NSA infected...
I can put 2 and 2 together, if you can't that's your problem.

Re: Who has power

[jd]

Except that they have never successfully prevented any attacks. A congressional enquiry got the NSA to admit a 100% failure rate.

Re:

[AHuxley]

The US had its Army and Navy do that to a great standard before the NSA.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[shoor]

As others have pointed out, it's a representative democracy. When the USA was started, neither the telegraph nor the railroad had been invented yet. Counties would elect representatives to go off to State Capitals, and States would elect representatives to go off to Washington, D.C. because that was the only practical way to get things done. We still have that system which was put in place with the adoption of our Constitution.

However, the real problem is with human nature itself. You've probably heard

More Backdoors, more backdoors...!!

[ripvlan]

We need the government to request and be granted access to Back Doors !!!! Because we know that they will keep it secret and none of us will ever be affected by rogue hackers figuring them out. Better yet - the No Such Agency can be in charge of keeping the secrets.

Government secrets !! yay team !

Re: More Backdoors, more backdoors...!!

[Z00L00K]

I agree here. I would like to abolish UPnP entirely and ban it.

In addition to that also kick the inventor in the nuts.

Re:

[mikael]

That would be https://en.wikipedia.org/wiki/... [wikipedia.org]

He was the person who designed the Atari home computer SIO bus. For many peripherals, the device driver was actually contained within the device itself. Upon connection by the interface cable, the device driver would be uploaded. When the interface cable was removed, the device driver was removed.

UPnP

[JBMcB]

The first five or six wave of horrendous uPnP vulnerabilities weren't enough to convince people that uPnP on your router is a bad idea?

Re:

[BlueStrat]

Of course they fucking talked about them, each time. If you had UPnP running after 2002 YOU ARE A MORON.

They talked about them on tech sites and blogs. Not in places where mom, dad, or grandpa & grandma would notice. The most they would have seen is some newsreader mentioning something about NSA leaks and exploits by "hackers" in a fact- and detail-free one or two line blurb/filler in between the local news and the weather forecast.

The vast majority of non-tech-savvy "normies" have still never heard of any of it. The MSM doesn't try to inform anyone because such tech-heavy articles with enough info to be

Re:

[BlueStrat]

No excuse for your illiteracy.

LOL! Found the NPC!

I build my own shit, including the computer and an old PC that serves as a router with NETBSD and PF.

Strat
(signed just because it annoys NPCs like yourself)

Re:

[Trogre]

Do you support your grandparent's network hardware with that mouth?

Re:

[St.Creed]

It certainly stops everything inside your network from opening ports at will through the UPnP protocol. It's the first thing I disable on any router I control. If I open ports, it's because I want to do so, not because my TV or fridge decided it was a nice day to open up the gates.

Re:

[Anonymous Coward]

... So obviously turning UPnP off makes it so that UPnP cannot be exploited.

Just like disabling WiFi on an iPhone. Oh wait...

Thanks

[phalse phace]

Thanks, NSA

Is there a list?

[Anonymous Coward]

I don't care about badly written vague explanations of how the exploit works. Is there a list of routers affects so I can search for mine?

Re:

[msmash]

There isn't one. Here's what Akamai advises: "The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it's NAT table entries. There are a handful of frameworks and libraries available in multiple languages to aid in this process. Below is a simple bash script used during this research. It is capable of testing a suspected vulnerable endpoint by attempting to dump the first 10,000 UPnP NAT entries from the devices exposed TCP daemon."

Re:Is there a list?

[SEMLogistics]

Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m... [akamai.com]

Re:

[emil]

The examples at the end of Akamai's (rather old) document use curl, and require a URL to the uPnP server.

I have loaded the upnpc binary on my copy of Raspbian, and it will probe the local network for the server. I think this is how you can obtain the URL:

# upnpc -l | awk '$1=="desc:"'
desc: h ttp://192.168.0.1:5000/rootDesc.xml

Note that I added the space above in the URL to prevent slashdot from mangling it.

I am running an Arris modem with 2013 firmware, but there is nothing from my manufacturer on Akama

Re:

[pope1]

I redid the test script Akamai wrote so it executes without error under macOS: http://rkdn.app/upnp.sh

Combined that with the home brew build of upnpc and rooted out one ASUS Wifi router at work that needed a firmware update.

It would be interesting to see what others are finding on their own LANs.

Those of us who can manage our own tech are a rounding error compared to the number of vulnerable devices out there,
but at least we can protect ourselves from this mess.

Universal Plug and Play was the penultimate ex

Re: Is there a list?

[emil]

I like upnpc, as it is an easy way to get the router's external IP address without going outside my internal network. I wonder if registering the two exploit ports to a nonexistent internal IP would prevent any firmware flaws from being exploited. It might actually be useful to register them all with a nightly crown job.

Re:

[pope1]

Forward the ports to 0.0.0.0 and you don't have to worry about someone allocating that internal IP for a future project years from now.

Re:

[TheFakeTimCook]

Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m... [akamai.com]

Another reason to bemoan the discontinuance of Apple Routers: They are NOT on that list!!!

Re:

[Anonymous Coward]

Probably every single router with UPnP enabled. That's the whole point of UPnP, to allow applications a universal way to request an open port forward from the router. There is absolutely no way to authenticate that the application that requested the port to be opened is the application that is actually listening to that port on the client deivce, and likely there is no way to even authenticate that the device that requested the open port is even the device that the port forward is pointing to, seeing as it

Re:

[ewhac]

Basically UPnP should be removed from every single router firmware ASAP, it was a security nightmare from the get go.

This is why I long ago started referring to UPnP as Universal Penetrate and Pwn. UPnP support is one of the first things I shut off when configuring a new router/firewall.

Re:

[Cowardly Lurker]

Good old "Shields Up" has a UPnP exposure test.

Gibson Research --> https://www.grc.com/x/ne.dll?b... [grc.com]

But you said crossing the streams was bad...

[the_skywise]

My understanding is that uPnP is necessary to open up dynamic ports to the outside world from other devices on the network like Xbox or for chat programs, running bittorrent, etc; Which is the only reason I've left it on on my router.
Is this no longer the case?

Re: But you said crossing the streams was bad...

[Anonymous Coward]

What you say is true, although there are other ways a router can be signalled to open ports.

However, if you know what your devices inside of your network are doing you can just only manually forward specific ips and ports. It really depends how much you have going on in your network.

Re:

[jeff4747]

you can manually do that for known port ranges like Xbox or most things

If you only have one on your network.

Read the ULA

[AndyKron]

Will the NSA be paying for this? Thought not.

isnt eternal blue g8zw4r3?

[yfeefy]

Why would anyone be running billy bathgates on a ROUTER?? article seems to makes no sense

It would not be hard

[jd]

To make a router that couldn't suffer such security failings. There would be a few disadvantages - first, it would be bulkier, second it would be more complex to administer, thirdly you'd face massive opposition because nobody really wants security. If they did, such devices would be the norm.

Re:

[sremick]

Like pfSense?

https://www.pfsense.org/ [pfsense.org]

I wouldn't say it's "bulkier"... you can run it on pretty tiny hardware, like I do (mine is a tiny Jetway box, smaller than most peoples' routers, chassis is metal and functions as the heatsink). Definitely "more complex to administer" but it's right up my alley.

Re:

[sad_]

i doubt it would be the norm.
it's still cheaper to ignore security, and in the end money wins.