{"id":20540,"date":"2018-11-30T01:58:36","date_gmt":"2018-11-30T01:58:36","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/here-are-another-45000-reasons-to-patch-windows-systems-against-old-nsa-exploits\/"},"modified":"2018-11-30T01:58:36","modified_gmt":"2018-11-30T01:58:36","slug":"here-are-another-45000-reasons-to-patch-windows-systems-against-old-nsa-exploits","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/here-are-another-45000-reasons-to-patch-windows-systems-against-old-nsa-exploits\/","title":{"rendered":"Here are another 45,000 reasons to patch Windows systems against old NSA exploits"},"content":{"rendered":"
<\/div>\n

Earlier this year, Akamai warned that vulnerabilities in Universal Plug’N’Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed.<\/p>\n

Having revisited its April probing<\/a>, the web cache biz has come to the conclusion that the security nightmare it dubbed \u201cUPnProxy\u201d is still \u201calive and well.\u201d<\/p>\n

The only way to truly secure a router from UPnProxy attacks is to reflash the hardware, clearing any attacker-injected configuration and installing patched firmware, where available. Oh, and turn UPnP off, which has been standard advice for a decade<\/a>.<\/p>\n

The problem is basically this: it’s possible to send carefully crafted HTTP requests to public-facing UPnP services running on various routers to access their internal networks, or relay traffic through the gateways to other machines on the internet. With access to a home LAN, it’s possible to attack and infect connected PCs and gizmos. These UPnP vulns, described here<\/a> [PDF], have not been comprehensively patched.<\/p>\n

Scanning the internet once again, Akamai found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been hijacked. The latest twist is that whoever commandeered these gateways has tried to port forward Windows file sharing aka SMB services from the internal PCs to the outside world so they can be exploited and remote-controlled by the leaked Eternal family<\/a> of NSA cyber-weapons.<\/p>\n

Patches are available<\/a> for Windows to thwart attacks by EternalBlue et al: your ‘doze machines should not fall for these SMB-based infections if you’ve been keeping up to date, though your router may been snared if you haven’t disabled UPnP or patched it.<\/p>\n

Details<\/span><\/h3>\n

Akamai’s security team explained in this blog post<\/a> that a sign of infection is the appearance of \u201ctelltale routes\u201d in the gateways’ port mappings. The essay also outlined how the hackers hijacked some 45,000 routers:<\/p>\n