It’s been over a year since patches to protect against the leaked NSA exploits were released, yet Akamai has published research revealing the continued use of the Eternal family of exploits with evidence of a new version of the UPnProxy vulnerability targeting unpatched computers behind the router’s firewall.
In a new and widely distributed campaign, a family of injections dubbed EternalSilence has been leveraging the Eternal family of exploits. According to the research, exploiting the vulnerability allows attackers to burrow through the router, infecting individual computers on the network. The UPnProxy vulnerability affords attackers deeper insight into the devices they can target while strengthening the malicious network.
Researchers discovered more than 45,000 devices have been compromised, which is estimated at over a million computers waiting for commands, but they have not been able to gain insight into what happens post-injection. “They can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network,” Akamai’s Chad Seaman wrote.
Victims of the attack may very well not know that they have been targeted, particularly if their existing machines on the internet have already been segmented, the research said. As a result, any unpatched machines within the network will be easy targets.
“It was only a matter of time before the leaked NSA exploits would be used yet again for malicious purposes. It’s been over a year since these hacking tools first came on the scene, and even despite the number of successful attack methods that have since ensued, many organizations are still vulnerable to these exploits,” said Tyler Moffitt, senior threat research analyst, Webroot. “Unless properly patched, cyber-criminals are only going to continue using them in attacks for profit.
“There will always be zero-day vulnerabilities, but it’s worth noting that the vast majority of exploit attacks seen in the wild involve cyber-criminals targeting known vulnerabilities. These vulnerabilities have already been fixed by the vendor, but the fix has not been deployed and installed by the end user. There is without doubt a window of opportunity for cyber-criminals to take advantage.”