December 7, 2018 by Tal Widerman
The firewalls of routers we work behind and consider secure may not really be so. The makers of network hardware are moving too slow to catch up with new hacking exploits, and so the markets are still selling routers that haven’t been upgraded. The situation presents great dangers to users, and this has been confirmed by research findings from the security giant, Akamai.
What are the risks?
It’s hard to believe that global vendors of network hardware are putting customers at security risks without their knowledge. The end users of course can’t be blamed if they aren’t aware of the loopholes that exist in their networking devices, and the full responsibility lies upon vendors.
Many vendors have indeed moved forward and upgraded their network file sharing and streaming protocol (SMB) to the latest, encrypted and secured SMBv3 dialect. A large number of them however haven’t, and this is the reason why a large number of routers, switches and access points available from stores are running on the unsafe SMBv1 protocol.
The safety risks can be understood from the recent Wannacry and NotPetya attacks that took place a year and a half ago. The cyberattacks surfaced in May 2017, and the initial infection occurred via a Word file, which, once opened, deployed the malware.
More such threats are being hatched, as reported by researchers from Akamai’s security team. Hackers this time are using the leaked networking tools to create an even bigger, malicious proxy network.
New findings from the security giant Akamai reveal that the UPnProxy vulnerability, which abuses the common Universal Plug and Play network protocol, can now target unpatched computers behind the router’s firewall.
Akamai researchers say they "believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (Samba cry) exploits."
The EternalBlue exploit was discovered by the National Security Agency on Windows computers. EternalRed is a backdoor on Linux devices found by Samba. The exploits form part of the ‘Eternal’ family of malware, which targets service ports used by SMB with port mapping modified by the UPnProxy on vulnerable routers.
The exploits are thus becoming stronger, able to find a way through unsecured routers. This happens on routers that do not support the latest SMBv3 protocol. An attacker can use port forwarding feature of the router, exposing the LAN to outside internet. From this route, hackers can reach individual computers and devices inside the firewall.
There are still millions of devices today that run the unsafe SMBv1 protocol, leaving themselves vulnerable to more such malicious security risks.
The Akamai report suggests that there are 3.5 millions of vulnerable routers on the internet, and plenty of them (277,000) are running vulnerable implementations of UPnP that expose themselves and their IGD (Internet Gateway Device) controls on the WAN/Internet side of the router.
Akamai’s scanning showed at least 45,000 actively networked injected machines. These numbers are subject to grow as the hackers continue to scan the network for new machines they can reach.
On the brighter side, the number of vulnerable devices is going down with many responsible vendors going for the needed updates with the latest SMB version. However, Akamai has drawn attention to how clever criminals can take any advantage they would like to get for exploiting systems and services. The company points to how UPnP Proxy has been used to attack systems that were until now shielded behind the NAT.
Often some systems are overlooked by organizations as they appear to be ‘good enough’. Policies on asset management are also not proactive when it comes to assets with low rotation rates. It may even happen that some risks are considered ‘acceptable’. Hackers such as those behind EternalSilence look out for such critical systems.
In the case of UPnP, one may think of flashing the vulnerable routers, or disabling UPnP. A sounder approach is to simply replace the router with one that uses the secure and encrypted SMBv3 protocol.
Visuality Systems Ltd has partnered with a number of router and switch manufacturers in the industry since the Wannacry erupted. The aim is to upgrade all of their offerings to support the encrypted SMBv3 protocol. All Visuality products support the latest SMBv3 dialect and ensure security through end-to-end encryption capabilities.
Visuality is looking forward to partner with all network hardware vendors who haven’t yet taken action and wants to ensure that the networking market becomes completely SMBv1 free.