EternalSilence UPnP Router Exploit

EternalSilence is a newly observed attack methodology that targets routers with vulnerable implementations of Universal Plug and Play (UPnP). At the time of publication, the objective of the attack is believed to be to open networks to further exploitation by EternalBlue and EternalRed, a variant of EternalBlue that targets Linux machines.

On November 7th 2018 while working on a project related to the original UPnProxy discoveries, researchers at Akamai discovered a new family of injections, which they’ve dubbed Eternal Silence. The name EternalSilence comes from port mapping descriptions left by the attackers. In addition, these new attacks are believed to be leveraging the Eternal family of exploits.

The threat actors operating the EternalSilence campaign are scanning the internet for vulnerable routers to attack. Once identified, they inject commands that force the routers to open SMB ports 139 and 445 on connected devices, leaving them exposed to the EternalBlue and EternalRed exploits.

Out of a potential victim pool of 3.5 million vulnerable devices, 277,000 of them are vulnerable to UPnProxy.

EternalBlue (CVE-2017-0144): The widely-known exploit stolen from the NSA and released by Shadow Brokers, impacts every version of Windows, and even after widespread patching took place (MS17-010), criminals still managed to leverage the exploit code to launch devastating attacks, such as WannaCry and NotPetya.

EternalRed (CVE-2017-7494): Sometimes known as the sibling to EternalBlue; targets Samba and opens the Eternal family up to Linux-based systems. It’s been used in a number of crypto-mining campaigns and became widely-known as SambaCry.

To prevent an attack, users and administrators should ensure that:

• Routers are kept up-to-date.
• UPnP is disabled if it is not used.
• Regular vulnerability scans are performed.
• SMB v1 is disabled across the network.