Hackers are opening SMB ports on routers so they can infect PCs with NSA malware

Akamai says that over 45,000 routers have been compromised already.
Written by Catalin Cimpanu, Contributor

Akamai has detected an ingenious malware campaign that alters configurations on home and small office routers to open connections toward internal networks so crooks can infect previously isolated computers.

The way hackers achieve this, Akamai said, is via a technique known as UPnProxy, which the company first detailed in April this year.

The technique relies on exploiting vulnerabilities in the UPnP services installed on some routers to alter the device's NAT (Network Address Translation) tables.

NAT tables are a set of rules that control how IPs and ports from the router's internal network are mapped onto a superior network segment --usually the Internet.

In April, hackers were using this technique to convert routers into proxies for regular web traffic, but in a report published today, Akamai says it's seen a new variation of UPnProxy where some clever hackers are leveraging UPnP services to insert special rules into routers NAT tables.

These rules still work as a (proxy) redirections, but instead of relaying web traffic at the hacker's behest, they allow an external hacker to connect to the SMB ports (139, 445) of devices and computers located behind the router, on the internal network.

Over 45,000 routers already infected

Akamai experts say that from the 277,000 routers with vulnerable UPnP services exposed online, 45,113 have already been modified in this recent campaign.

Researchers say that one particular hacker, or hacker group, has spent weeks creating a custom NAT entry named 'galleta silenciosa' ('silent cookie/cracker' in Spanish) on these 45,000 routers.

Akamai says it detected "millions of successful injections" during which crooks connected through these ports to devices beyond the routers. Akamai put the number of these devices around the 1.7 million figure.

What the hackers did, Akamai can't tell, as they don't have visibility inside those networks. But the company is quite certain these "injections" have something to do with EternalBlue, one of the pieces of malware developed by the US National Security Agency, and which leaked online last year, and the malware that was at the heart of the WannaCry and NotPetya ransomware outbreaks.

Furthermore, Akamai also believes hackers deployed EternalRed, a variant of EternalBlue that can infect Linux systems via Samba, the SMB protocol implementation for Linux.

Attacks are opportunistic, but dangerous

But there are good news, as this doesn't appear to be a nation-state orchestrated hacking operation with a bigger end goal in mind.

"Recent scans suggest that these attackers are being opportunistic," Akamai said. "The goal here isn't a targeted attack. It's an attempt at leveraging tried and true off the shelf exploits, casting a wide net into a relatively small pond, in the hopes of scooping up a pool of previously inaccessible devices."

In the past year, EternalBlue has become the favorite tool of hacker groups involved in cryptocurrency mining, and this might be just the case, as well.

Nonetheless, companies that don't want these attacks to turn into something much much worse are advised to either disable the UPnP service on their routers or get a new and more modern router instead, which that doesn't use a vulnerable UPnP implementation.

Akamai refers to this particular router hacking campaign as EternalSilence, a name derived from the use of the EternalBlue exploits and Silent Cookie, the name of the malicious NAT table entries. The company has also published instructions at the bottom of its report on how to remove the malicious NAT table entries from affected routers.

Related security coverage:

Editorial standards