Mass Router Hack Exposes Millions of Devices To Potent NSA Exploit

More than 45,000 Internet routers have been compromised by a newly discovered campaign that's designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers say. From a report: The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don't reveal precisely what happens to the connected devices once they're exposed, Akamai said the ports --which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed -- provide a strong hint of the attackers' intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play -- often abbreviated as UPnP -- to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets.

Who has power

I'm not an American but I thought in a democracy everyone can vote to just abolish the NSA, for example. With how shitty the NSA has been the last two decades, what's the deal on that?

Re:Who has power

It's supposed to be a representative democracy. We elect the people (congress) that have the power to abolish the NSA. Once they get elected, they no longer have the desire to abolish the NSA... hmmm...

Re:Who has power

They answered a call from https://tech.slashdot.org/stor...

Re:Who has power

[pgmrdlm]

Why would I want to abolish an agency that is part of my national defense. And able to intercept attacks before they happen by monitoring communications? Look at any war that has occurred. Interception of communications has always been a national defense strategy by all nations?

Re:Who has power

[jpaine619]

The US is a Democratic Republic, sometimes referred to as a Representative Republic. Citizens vote for those who govern them, but not on laws.

Pure democracy doesn't work out too well. Mob rule isn't a great way to do things.

Re:Who has power

[jpaine619]

Why would you want to keep an agency around that doesn't just spy on our enemies, but also spies on us?

Re:Who has power

[shoor]

As others have pointed out, it's a representative democracy. When the USA was started, neither the telegraph nor the railroad had been invented yet. Counties would elect representatives to go off to State Capitals, and States would elect representatives to go off to Washington, D.C. because that was the only practical way to get things done. We still have that system which was put in place with the adoption of our Constitution.

However, the real problem is with human nature itself. You've probably heard expressions like "Power corrupts, and absolute power corrupts absolutely", or "Who watches the watchers." We have several TLA (Thee Letter Acronym) Agencies that we have to deal with; the FBI, the CIA, and the NSA are the biggest and best known, and each has plenty of scandals in its history. To some extent they watch each other, or maybe it's mostly the FBI watching the CIA. Check out Aldrich Ames for example https://en.wikipedia.org/wiki/Aldrich_Ames

Governments feel like they need these agencies, and maybe they do, but even if they start out with nothing but highly competent honorable people, they are bound to gradually go from being what historian Carroll Quigley called 'instruments' into what he called 'Institutions'.:

transformation of social arrangements functioning to meet real social needs into social institutions serving their own purposes regardless of real social needs

(Quote is from the wikipedia entery on Quigley.)

There's no easy simple solution to the problem because the problem is in human nature. The first amphibian that evolved to walk on dry land probably couldn't walk very well. The first bird that evolved flight probably couldn't fly very well. We're the first species to come up with this thing we call 'civilization'. How good do you think we are at it?

Re:Who has power

You don't have to be American to know this simple truth:, in general, Negroes don't make very good mathematicians. If I had to choose between hiring a Negro mathematician and an Ashkenazi Jew mathematician, I would hire the Jew, hands down. No contest really.

Re: Who has power

[jd]

Except that they have never successfully prevented any attacks. A congressional enquiry got the NSA to admit a 100% failure rate.

Re: Who has power

And yet all our neighbors have routers that are now NSA infected...
I can put 2 and 2 together, if you can't that's your problem.

Re:Who has power

You don't have to be American to know this simple truth:, in general, Negroes don't make very good mathematicians. If I had to choose between hiring a Negro mathematician and an Ashkenazi Jew mathematician, I would hire the Jew, hands down. No contest really.

Yes but the problem would be complicated because so very few "Jews" are acutally Semitic. Hell, the average Palestinian is much more Semitic than the average self-identified Jew. And the Palestinians were a creation of the Roman Empire (the word itself is a bastardization of "Philistine").

Re:Who has power

[AHuxley]

The US had its Army and Navy do that to a great standard before the NSA.

Re:Who has power

You don't have to be American to know this simple truth:, in general, Negroes don't make very good mathematicians. If I had to choose between hiring a Negro mathematician and an Ashkenazi Jew mathematician, I would hire the Jew, hands down. No contest really.

If you're hiring mathematicians based on a random selection between two races, then your algorithm is good.

Re: Who has power

They're not "NSA infected." They were compromised by people who used an NSA-developed exploit which was leaked into the wild.

Re: Who has power

Excellent post. ðY'ðY'

Re:Who has power

It's a representative Democracy, and most people don't want to cripple our own intelligence agencies, and start relying on Fox instead, like old-man Trump does. We're not all morons. You've mistaken some fringe extremists for the general population.

Re:Who has power

Were you not around for the Snowden leaks, or do you simply not understand the meaning of the word "all"?
https://www.theguardian.com/commentisfree/2013/jul/15/crux-nsa-collect-it-all

More Backdoors, more backdoors...!!

[ripvlan]

We need the government to request and be granted access to Back Doors !!!! Because we know that they will keep it secret and none of us will ever be affected by rogue hackers figuring them out. Better yet - the No Such Agency can be in charge of keeping the secrets.

Government secrets !! yay team !

Re: More Backdoors, more backdoors...!!

This hack represents an attack on the population.
But it seems kind of pointless to force open SMB ports when we already got the EternalBlue patch years ago...
There is more to this. This infection of the router is probably much more dangerous than EternalBlue.

Re: More Backdoors, more backdoors...!!

If you had UPnP running on your router in 2018, you deserved to be fucking hacked. FTFY.

Re: More Backdoors, more backdoors...!!

[Z00L00K]

I agree here. I would like to abolish UPnP entirely and ban it.

In addition to that also kick the inventor in the nuts.

Re: More Backdoors, more backdoors...!!

I agree here. I would like to abolish UPnP entirely and ban it.

In addition to that also kick the inventor in the nuts.

Because you can know with great certainty that it was not a woman who would have the technical wherewithal to invent such a thing. Oh they're plenty capable, they just don't care to get into such things. But we need mroe girls in tech! Girls can do stuff too!

Sheppard of heretical.com talked about the reason why most all technology is invented by men and it is not because of an intelligence gap between the sexes per se. It's because men can redirect their sexual energy into other pursuits and use it to fuel those things. This is because men fundamentally view reality in terms of a collection of "things". Women fundamentally view reality in terms of a collection of "relationships" (explaining why they manipulate them with a certain ruthlessness, for it is all they have) which is why they cannot channel their base sexual instincts into other pursuits.

Of course in an era where a professor of Harvard University like Lawrence Summers can catch hell for daring to suggest (with overwhelming evidence) that there are biological differences in cognition between males and females, such talk is forbidden. Mod accordingly, like a good sheep.

Re: More Backdoors, more backdoors...!!

[mikael]

That would be https://en.wikipedia.org/wiki/...

He was the person who designed the Atari home computer SIO bus. For many peripherals, the device driver was actually contained within the device itself. Upon connection by the interface cable, the device driver would be uploaded. When the interface cable was removed, the device driver was removed.

UPnP

[JBMcB]

The first five or six wave of horrendous uPnP vulnerabilities weren't enough to convince people that uPnP on your router is a bad idea?

Re: UPnP

Maybe if they were ever talked about. But they aren't so nobody has ever heard of them.

Re: UPnP

Are you high or just illiterate and unable to google? Of course they fucking talked about them, each time. If you had UPnP running after 2002 YOU ARE A MORON.

Re:UPnP

I have read that on some devices it is not possible to disable UPNP either.

Re: UPnP

[BlueStrat]

Of course they fucking talked about them, each time. If you had UPnP running after 2002 YOU ARE A MORON.

They talked about them on tech sites and blogs. Not in places where mom, dad, or grandpa & grandma would notice. The most they would have seen is some newsreader mentioning something about NSA leaks and exploits by "hackers" in a fact- and detail-free one or two line blurb/filler in between the local news and the weather forecast.

The vast majority of non-tech-savvy "normies" have still never heard of any of it. The MSM doesn't try to inform anyone because such tech-heavy articles with enough info to be useful don't drive many advertising views or clicks on articles.

Strat

Re: UPnP

No excuse for your illiteracy. UPnP has been unsafe since 2001. You're a moron who whines about government and touts free market bullshit, but you have no personal responsibility and you want to be protected from harm?

Fuck off. Oh yeah, and you don't need to sign your posts when you've already logged in you pedantic old Magoo.

Re: UPnP

[BlueStrat]

No excuse for your illiteracy.

LOL! Found the NPC!

I build my own shit, including the computer and an old PC that serves as a router with NETBSD and PF.

Strat
(signed just because it annoys NPCs like yourself)

Re: UPnP

No excuse for your illiteracy. UPnP has been unsafe since 2001. You're a moron who whines about government and touts free market bullshit, but you have no personal responsibility and you want to be protected from harm?

Fuck off. Oh yeah, and you don't need to sign your posts when you've already logged in you pedantic old Magoo.

Re:UPnP

I have read that on some devices it is not possible to disable UPNP either.

does disabling upnp protect us from this?

Re:UPnP

[St.Creed]

It certainly stops everything inside your network from opening ports at will through the UPnP protocol. It's the first thing I disable on any router I control. If I open ports, it's because I want to do so, not because my TV or fridge decided it was a nice day to open up the gates.

Re:UPnP

Duh!

If the exploit is for "A" and you shut off or destroy thing "A", then there is nothing for the exploit to exploit. So obviously turning UPnP off makes it so that UPnP cannot be exploited.

Jeez ...

Re:UPnP

... So obviously turning UPnP off makes it so that UPnP cannot be exploited.

Just like disabling WiFi on an iPhone. Oh wait...

Re:UPnP

There are far too many games (PC & console) which don't use dedicated ports for multiplayer, or even allow the user to specify a port, but actually require that they be able to open whatever random port they decide to use (and it is random) via UPnP, otherwise multiplayer play is impossible.

Re: UPnP

I build my own shit, including the computer and an old PC that serves as a router with NETBSD and PF.

No. You do this because it's all you've got and all you will ever have. It's a shitty lifestyle, almost certainly co-morbid with untreated depression and substance abuse, and you deserve to experience every single second of it.

Also, it's NetBSD you fucking amateur.

Re: UPnP

[Trogre]

Do you support your grandparent's network hardware with that mouth?

Thanks

[phalse+phace]

Thanks, NSA

Is there a list?

I don't care about badly written vague explanations of how the exploit works. Is there a list of routers affects so I can search for mine?

Re:Is there a list?

[msmash]

There isn't one. Here's what Akamai advises: "The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it's NAT table entries. There are a handful of frameworks and libraries available in multiple languages to aid in this process. Below is a simple bash script used during this research. It is capable of testing a suspected vulnerable endpoint by attempting to dump the first 10,000 UPnP NAT entries from the devices exposed TCP daemon."

Re:Is there a list?

[SEMLogistics]

Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m...

Re:Is there a list?

Probably every single router with UPnP enabled. That's the whole point of UPnP, to allow applications a universal way to request an open port forward from the router. There is absolutely no way to authenticate that the application that requested the port to be opened is the application that is actually listening to that port on the client deivce, and likely there is no way to even authenticate that the device that requested the open port is even the device that the port forward is pointing to, seeing as it is quite trivial to spoof packets within a typical home network.

Basically UPnP should be removed from every single router firmware ASAP, it was a security nightmare from the get go.

Re:Is there a list?

[Cowardly+Lurker]

Good old "Shields Up" has a UPnP exposure test.

Gibson Research --> https://www.grc.com/x/ne.dll?b...

Re:Is there a list?

[emil]

The examples at the end of Akamai's (rather old) document use curl, and require a URL to the uPnP server.

I have loaded the upnpc binary on my copy of Raspbian, and it will probe the local network for the server. I think this is how you can obtain the URL:

# upnpc -l | awk '$1=="desc:"'
desc: h ttp://192.168.0.1:5000/rootDesc.xml

Note that I added the space above in the URL to prevent slashdot from mangling it.

I am running an Arris modem with 2013 firmware, but there is nothing from my manufacturer on Akamai's list.

Re:Is there a list?

[ewhac]

Basically UPnP should be removed from every single router firmware ASAP, it was a security nightmare from the get go.

This is why I long ago started referring to UPnP as Universal Penetrate and Pwn. UPnP support is one of the first things I shut off when configuring a new router/firewall.

Re:Is there a list?

[pope1]

I redid the test script Akamai wrote so it executes without error under macOS: http://rkdn.app/upnp.sh

Combined that with the home brew build of upnpc and rooted out one ASUS Wifi router at work that needed a firmware update.

It would be interesting to see what others are finding on their own LANs.

Those of us who can manage our own tech are a rounding error compared to the number of vulnerable devices out there,
but at least we can protect ourselves from this mess.

Universal Plug and Play was the penultimate example of trading security for compatibility,
and it should have died a long time ago..

Re:Is there a list?

[TheFakeTimCook]

Yes, Akamai published the list of manufacturers and models in their whitepaper: https://www.akamai.com/us/en/m...

Another reason to bemoan the discontinuance of Apple Routers: They are NOT on that list!!!

Re: Is there a list?

[emil]

I like upnpc, as it is an easy way to get the router's external IP address without going outside my internal network. I wonder if registering the two exploit ports to a nonexistent internal IP would prevent any firmware flaws from being exploited. It might actually be useful to register them all with a nightly crown job.

Re:Is there a list?

why waste that effort. just turn the feature off on your router and be done.

while you're in there, might as well make sure remote admin is disabled on wifi and wan ports, change and strengthen your passwords, disable wps, and any other shit that doesn't need to be on.

Re:Is there a list?

You are running an Arris modem? Or your ISP is running an Arris modem?

My ISP is also running an Arris Modem however the demarcation point is MY router which I exclusively control. I don't give a shit about the Arris Modem. The owner of the modem (the ISP) and the entity responsible for configuration (the ISP) and updates and firmware (the ISP) is responsible for that device and any problems that it might have. Got nothing to do with me, and I don't give a shit. I know how to sue if the ISP's equipment has a problem and I get "bothered" by it.

Re: Is there a list?

[pope1]

Forward the ports to 0.0.0.0 and you don't have to worry about someone allocating that internal IP for a future project years from now.

But you said crossing the streams was bad...

[the_skywise]

My understanding is that uPnP is necessary to open up dynamic ports to the outside world from other devices on the network like Xbox or for chat programs, running bittorrent, etc; Which is the only reason I've left it on on my router.
Is this no longer the case?

Re: But you said crossing the streams was bad...

What you say is true, although there are other ways a router can be signalled to open ports.

However, if you know what your devices inside of your network are doing you can just only manually forward specific ips and ports. It really depends how much you have going on in your network.

Re:But you said crossing the streams was bad...

UPnP automagically opens ports, you can manually do that for known port ranges like Xbox or most things. Some shitty web service hw doesn't document which ports they use and they make that difficult. Most do.

So there's no good reason to continue using UPnP unless you want to get hacked, and it's been that way for well over a decade.

Anyone with one of the shitty routers that have always-on UPnP need to break down and invest in not getting hacked. Idiots like Bluestrat who say none of this was easily accessible information are just illiterates.

We can't make you safe if you don't even care to read about this. No one can.

Re:But you said crossing the streams was bad...

[jeff4747]

you can manually do that for known port ranges like Xbox or most things

If you only have one on your network.

Re:But you said crossing the streams was bad...

If you're running multiple dumb-routing boxes like Xbox on your network using UPnP, you deserve to be hacked. Zero sympathy. There is a way to do it. M$ could make it easier for you, but they don't. Too bad.

Re:But you said crossing the streams was bad...

This is only necessary for defective software. It is better to shut off UPnP and stop using defective and badly designed software.

why

why is upnp still around, is it because of the gayming fags?

Read the ULA

[AndyKron]

Will the NSA be paying for this? Thought not.

Windows Junk

139 and 445 are Samba/CIFS ports, typically. Nothing to be alarmed about here as we all know Windows has perfect security (as Microsoft has continuously claimed in the war with Linux)...

Fake News.

isnt eternal blue g8zw4r3?

[yfeefy]

Why would anyone be running billy bathgates on a ROUTER?? article seems to makes no sense

And that's why I run a firewall behind my router

Well, that and it's in place for WiFi networks too. I'm sure all /. people block these protocols as part of a belt and suspenders approach to security.

Maybe ISPs should scan for vulnerable customers and offer to provide advice to those who need it.

It would not be hard

[jd]

To make a router that couldn't suffer such security failings. There would be a few disadvantages - first, it would be bulkier, second it would be more complex to administer, thirdly you'd face massive opposition because nobody really wants security. If they did, such devices would be the norm.

Re:It would not be hard

[sremick]

Like pfSense?

https://www.pfsense.org/

I wouldn't say it's "bulkier"... you can run it on pretty tiny hardware, like I do (mine is a tiny Jetway box, smaller than most peoples' routers, chassis is metal and functions as the heatsink). Definitely "more complex to administer" but it's right up my alley.

Re:It would not be hard

[sad_]

i doubt it would be the norm.
it's still cheaper to ignore security, and in the end money wins.

Block exploits, not movies

Why are internet providers blocking movies and TV shows, when they aren't required to block exploits?

msmash has the power

to shout "hacks! hacked! hackers!" and little else.

"Making sense" is nowhere in the vicinity.

"reachable to the internet"

WTF does that mean? Has that phrase ever been used in the English language before? No. Who is writing these summaries? A computer?
"reachable to the internet".

"Sorry Chad, it's just not reachable to the internet at the moment."

NOBODY talks like this. Except stupid Americans...