EternalSilence: Why your router may be at risk from this NSA tool

Today’s article is courtesy of John Mason, co-founder of and writer at TripwireStaySafeOnline, DigitalGuardian y Educause. You can find him on twitter as @JohnCyberMason.

Do you trust your router to keep you safe from hackers and spies? You may want to take another look just to make sure.

Akamai recently discovered a malware campaign that has already compromised over 45,113 home and office routers. This was done using a tool based on the United States of America’s NSA hacking tools which were leaked online in 2017. To explain how hackers use this tool to turn your router into a proxy server, we first have to understand how UPnP works.

UPnP is a protocol that eases device and service discovery as well as the configuration of consumer devices and networks. Its primary purpose was to allow devices on a LAN to automatically expose services and functionality other devices on the local network.

One important role it serves is to automatically negotiate and configure port opening/forwarding within a NATed networking environment which allows network devices to open up ports and expedite routing of network traffic. This feature is often implemented by default on home routers to improve performance and user experience when playing on gaming systems.

The problem with UPnP is that some of its implementations didn’t handle network segmentation across the WAN and LAN network interfaces properly. At DEFCON 19, a toolset was presented which allowed remote users to inject NAT rules into a remote device over the WAN interface.

In 2013, Rapid 7 discovered 80 million vulnerable devices. They used information leaked by devices to identify vendors, models, and the overall threat landscape. This led them to identify thousands of models from over 1,500 vendors.

So, how does NAT injection work?

Normally, privileged services are meant to only be used by trusted devices on a LAN. However, vulnerable devices expose these privileged services on their WAN interface. An attacker can then use these exposed services:

  • To inject NAT entries into the remote device
  • To expose machines behind the router
  • To inject Internet-routable hosts into the NAT table (which causes the router to act as a proxy server)

Back in April of this year, Akamai actually released a white paper detailing the process of how hackers use UPnP to turn routers into proxy servers. But, they recently discovered that hackers have a new method for installing special rules into NAT tables, which decide how traffic is sorted from your router to the devices on the network. These hackers add an entry to the NAT table called “Galleta Silenciosa” (Silent cookie/cracker).

The rules still work as proxy redirections but instead of simply relaying web traffic, they now also allow hackers to connect to the SMB ports (139, 445) of devices and computers inside the router’s network.

Akamai couldn’t identify exactly how hackers achieve this but they do firmly believe that the “injections” are linked to EternalBlue, a hacking tool (malware) developed by the NSA, which was also used for the WannaCry and NotPetya ransomware outbreaks.

This is what led Akamai to dub this hacking campaign “EternalSilence” after EternalBlue and Silent Cookie — the malicious NAT table entries.

The thing is, identifying whether or not you’re affected is no easy feat. There are some steps you could take if you believe your router is vulnerable to NAT infection.

If you regularly connect to public Wi-Fi, make sure you use a VPN service to minimize risk because that public network may be using a vulnerable router.

According to the Akamai report, there is a way to scan the endpoint and audit your NAT table entries but this involves advanced technical know-how.

You could flash your router and disable UPnP but Akamai says that this will only serve to remediate the issue. The best solution they suggest is to simply replace your vulnerable router if you find its brand on the list provided in the report.

See also in: