Hackers are using leaked NSA hacking tools to covertly hijack thousands of computers

More than a year after patches were released to thwart powerful NSA exploits that leaked online, hundreds of thousands of computers are unpatched and vulnerable.

First they were used to spread ransomware. Then it was cryptocurrency mining attacks. Now, researchers say that hackers are using the leaked tools to create an even bigger malicious proxy network.

New findings from security giant Akamai say that the previously reported UPnProxy vulnerability, which abuses the common Universal Plug and Play network protocol, can now target unpatched computers behind the router’s firewall.

Attackers traditionally used UPnProxy to remap the port forwarding settings on an affected router, allowing the obfuscation and routing of malicious traffic — which can be used to launch distributed denial-of-service attacks or spread malware or spam. In most cases, computers on the network were unaffected because they were shielded by the router’s network address translation (NAT) rules.

But now, Akamai says that attackers are using more powerful exploits to burrow through the router and infect individual computers on the network. That gives the attackers a far greater scope of devices it can target, and makes the malicious network far stronger.

“While it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually,” said Akamai’s Chad Seaman, who wrote the report.

The injections use two exploits — EternalBlue, a backdoor developed by the National Security Agency to target Windows computers; and its “sibling” exploit EternalRed, used to backdoor Linux devices, found independently by Samba. Where UPnProxy modified the port mapping on a vulnerable router, the Eternal family of exploits target the service ports used by SMB, a common networking protocol used on most computers.

Together, Akamai calls the new attack “EternalSilence,” drastically expanding the spread of the proxy network to many more vulnerable devices.

Akamai says more than 45,000 devices are already under the thumb of the massive network — potentially amounting to more than a million computers waiting for commands.

“The goal here isn’t a targeted attack,” said Seaman. “It’s an attempt at leveraging tried and true off the shelf exploits, casting a wide net into a relatively small pond, in the hopes of scooping up a pool of previously inaccessible devices.”

But Eternal-based intrusions are difficult to detect, making it difficult for administrators to know if they’re infected. That said, fixes for both EternalBlue and EternalRed have been available for more than a year — yet millions of devices remain unpatched and vulnerable.

The number of vulnerable devices is going down, but Seaman said that UPnProxy’s new capabilities “may be a last ditch effort to utilize the known exploits against a set of possibly unpatched and previously inaccessible machines.”

Patching against the Eternal exploits is better late than never, but it’s not a silver bullet to fixing the problem. Even disabling UPnP isn’t a one-stop solution. Seaman said it’s “the equivalent of plugging the hole in the boat, but it does nothing to address the water that has made it into your sinking ship.”

Flashing an affected router and disabling UPnP may remediate the issue, but Seaman said in his opinion that the router should probably be “completely replaced.”