The latest router malware stolen from the NSA

How hackers use routers to access your devices

On Thursday, Akamai, a US-based content delivery network and cloud service provider, reported that hackers are exploiting the Universal Plug and Play (UPnP) protocol to access devices hiding behind routers. UPnP is used to automatically recognize devices connected on a local network to improve gaming and media streaming. However, UPnP also hides vulnerabilities previously explored by cybercriminals.

Back in April, Akamai released a white paper explaining how hackers use UPnP to turn routers into personal proxy servers. However, now hackers have found a new way to install rules in Network Address Translation (NAT) tables, which decide how traffic is sorted from your router to the devices connected to it. They add an entry to the NAT table that they call 'galleta silenciosa’ ('silent cookie/cracker' in Spanish).

The silent cookie opens ports which give hackers access to devices that would normally be hidden by your NAT and wouldn’t be visible to other devices on the internet. Once hackers have access to your devices, they are free to install any malware they wish.

Akamai’s researchers confirmed that EternalSilence – which is what they’re calling this attack – has potentially affected 1.7 million devices. It uses a similar technique to EternalBlue (and its Linux sister – EternalRed), an NSA creation used in the massive global WannaCry and NotPetya ransomware attacks.

Check the white paper released by Akamai to make sure that your router isn’t on the list of susceptible devices. Over 50 brands, including major players like ASUS, Logitech, and Netgear, could be susceptible to this attack. If you are worried that your router has been compromised or you are using an infected device, follow these steps and protect yourself from cybercriminals.

What to do if your router is vulnerable to NAT infection

1. If your router is on the list, it’s best to replace it with a less vulnerable one. If you cannot do so, restore its factory settings, make sure that it’s running the most up-to-date firmware, and turn off the UPnP feature. (Turning UPnP off might have an impact on your local network and might also disrupt gaming and media streaming.)
2. If you suspect that your router might be used as a proxy server but you haven’t received any malicious software or ransomware just yet, back up your data, restore your devices to factory settings, and change your router. Alternatively, you could manually remove the NAT injections if you know how to do so, but if you continue using UPnP and your router is susceptible to such attacks, there’s no guarantee that your devices won’t be infected again.
3. If your devices have been infected and the above options don’t work, you could deploy a firewall to block all incoming traffic to UDP port 1900. However, this is a relatively advanced fix and it would still allow hackers to use your device as a proxy server, so we do not recommend this.
4. You cannot control what hardware and firmware are used in your office or your local cafe, so your devices might be connected to vulnerable routers and be placed at risk of being infected with malicious software. Use NordVPN to hide your IP address and be invisible to those connected to the same network.

Want to read more like this?

Get the latest news and tips from NordVPN

Subscribe

Subscribe

You've successfully subscribed to our newsletter!

Email is invalid

Subscribe

We won't spam and you will always be able to unsubscribe

With our 30-day money-back guarantee, you can try NordVPN to see how it protects your devices from all sorts of online threats!