Hackers opening SMB ports on routers to infect PCs with NSA malware

Brink

Administrator
Staff member
Local time
7:26 PM
Messages
74,945
Location
Oklahoma
Akamai has detected an ingenious malware campaign that alters configurations on home and small office routers to open connections toward internal networks so crooks can infect previously isolated computers.

The way hackers achieve this, Akamai said, is via a technique known as UPnProxy, which the company first detailed in April this year.

The technique relies on exploiting vulnerabilities in the UPnP services installed on some routers to alter the device's NAT (Network Address Translation) tables.

NAT tables are a set of rules that control how IPs and ports from the router's internal network are mapped onto a superior network segment --usually the Internet.

In April, hackers were using this technique to convert routers into proxies for regular web traffic, but in a report published today, Akamai says it's seen a new variation of UPnProxy where some clever hackers are leveraging UPnP services to insert special rules into routers NAT tables.

These rules still work as a (proxy) redirections, but instead of relaying web traffic at the hacker's behest, they allow an external hacker to connect to the SMB ports (139, 445) of devices and computers located behind the router, on the internal network.

OVER 45,000 ROUTERS ALREADY INFECTED

Akamai experts say that from the 277,000 routers with vulnerable UPnP services exposed online, 45,113 have already been modified in this recent campaign.

Researchers say that one particular hacker, or hacker group, has spent weeks creating a custom NAT entry named 'galleta silenciosa' ('silent cookie/cracker' in Spanish) on these 45,000 routers.


Read more: Hackers are opening SMB ports on routers so they can infect PCs with NSA malware | ZDNet

See also: UPnProxy: EternalSilence - Akamai Security Intelligence and Threat Research Blog
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
I have seen my fair share of hacked residential routers try to access my site trying to do nefarious activities myself. And I bet a lot of these people wonder why their bandwidth and Internet speed isn't up to par and blame the ISP. Perhaps the ISP themselves should step it up a notch and make sure people's connections aren't hacked using some form of cloud analysis or something. I use Amazon AWS and use GuardDuty which could be similar to what an ISP could use.

People need to learn to secure their routers. Never use the default username and password, turn off UPnP and don't use port forwarding unless you absolutely need to. Then people need to stay abreast of any router firmware updates.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
Why are they calling this NSA malware? Because it spys on people? Thankfully UPnP is turned off by default on my modem and I never had a reason to turn it on.
 

My Computers My Computers

  • At a glance

    Windows 7 pro/Windows 10 ProIntel i7 860 Quad core 2.8 ghz8 gbATI Radeon HD 5770 1 gb ram
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    HP Pavillion Elite HPE-250f
    OS
    Windows 7 pro/Windows 10 Pro
    CPU
    Intel i7 860 Quad core 2.8 ghz
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5770 1 gb ram
    Monitor(s) Displays
    Alienware 25 AW2521HF & Viewsonic
    Screen Resolution
    1920 x1080 & 1680x1050
    Hard Drives
    WD blue 1 tb & 500 gb.
    Browser
    FF of course.
    Other Info
    https://www.bestbuy.com/site/hp-pavilion-elite-desktop-intel-core-i7-processor-8gb-memory-1tb-hard-drive/9921493.p?skuId=9921493
  • At a glance

    Windows 2012 R2 Data center/Linux Minti3 9100 3.6GHz, 8M cache, 4C/4T8GB 2666MT/s DDR4 ECC UDIMM
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Dell Poweredge T140
    OS
    Windows 2012 R2 Data center/Linux Mint
    CPU
    i3 9100 3.6GHz, 8M cache, 4C/4T
    Memory
    8GB 2666MT/s DDR4 ECC UDIMM
    Monitor(s) Displays
    Viewsonic
    Screen Resolution
    1680x1050
    Hard Drives
    1 TB & 750 GB
    Other Info
    https://www.dell.com/en-us/work/shop/productdetailstxn/poweredge-t140?~ck=bt
Why are they calling this NSA malware? Because it spys on people? Thankfully UPnP is turned off by default on my modem and I never had a reason to turn it on.

Indeed, as it is in mine.

UPnP is well known for it's vulnerabilities.
 

My Computer My Computer

At a glance

Windows 7 Professional x64Intel i7-4810MQ vPro
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Tecra W50-A
OS
Windows 7 Professional x64
CPU
Intel i7-4810MQ vPro
Universal Plug & Prey. I read that many years ago circa '08 at GRC's website.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
Back
Top