Akamai has discovered a remarkable new malware campaign. The hackers behind it change the settings of home and office routers. This allows them to connect to internal networks and also infect previously isolated devices.
According to Akamai Sun, there are 277,000 routers with these vulnerable UPnP services. 45,113 of these have been infected by this new campaign. According to the researchers, it seems that one hacker, or a group of hackers, is behind it, whose hacking work is very successful. Millions of successful injections would already have taken place.
Abuse NAT tables
According to Akamai, hackers can achieve this using a technique known as UPnProxy. The technique, which was discovered in April of this year, makes use of vulnerabilities in the UPnP services that are found on various routers. The hackers specifically change the Network Address Translation (NAT) tables.
NAT tables are basically a set of rules that govern how IPs and inputs of a router’s internal network relate to the larger network segment (usually the Internet). In April, hackers used the technique to turn routers into proxies for regular web traffic, but a new variant allows hackers to change the rules of the NAT tables. This allows an external hacker to connect to the SMB ports (139, 445) of devices and computers on the internal network.
But why?
Akamai does not know what the hackers then did on the networks. This is because the company does not have access to the underlying networks. But the company is almost certain that the injections are related to EternalBlue, malware developed by the U.S. National Security Agency. EternalBlue was launched on the internet last year and was already at the origin of WannaCry and NotPetya.
All in all, it doesn’t look like it’s a government hack attack. Instead, Akamai thinks that it is not a targeted attack and that the hackers seem to be hoping to infect a large number of devices, especially previously unreachable ones. Presumably, but that is speculation, the hackers then use these devices to minus cryptocurrencies.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.