EternalSuffering: NSA Exploits Still Being Successfully Used To Hijack Computers More Than A Year After Patching

from the can't-stop-won't-stop dept

Everything old and awful is new again. And still awful. Zack Whittaker reports for TechCrunch that the NSA's purloined kit of computer nasties is still causing problems more than a year after security patches were issued by affected vendors.

[A]kamai says that attackers are using more powerful exploits to burrow through the router and infect individual computers on the network. That gives the attackers a far greater scope of devices it can target, and makes the malicious network far stronger. “While it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually,” said Akamai’s Chad Seaman, who wrote the report.

There are more technical details in Akamai's report, which notes the deployment of EternalRed and EternalBlue, which target Linux and Windows machines respectively. It appears to be a massive crime of opportunity, with attackers possibly scanning the entire internet for vulnerable ports/paths and injecting code to gain control of computers and devices. The "shotgun approach" isn't efficient but it is getting the job done. Akamai refers to this new packaging of NSA exploits as EternalSilence, after the phrase "galleta silenciosa" ("silent cookie/cracker") found in the injected rulesets.

The damage caused by this latest wave of repurposed surveillance code could still be rather severe, even with several rounds of patches immunizing a large number of devices against this attack.

Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We've reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don't know if a machine was assigned that IP at the time of the injection. Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse.

More of the same, then. Perhaps not at the scale seen in the past, but more attacks using the NSA's hoarded exploits. Hoarding exploits is a pretty solid plan, so long as they don't fall into the hands of… well, anyone else really. Failing to plan for this inevitability is just one of the many problems with the NSA's half-assed participation in the Vulnerability Equities Process.

Since the tools began taking their toll on the world's computer systems last year, there's been no sign the NSA is reconsidering its stance on hunting and hoarding exploits. The intelligence gains are potentially too large to be sacrificed for the security of millions of non-target computer users. It may claim these tools are essential to national security, but for which nation? The exploits wreaked havoc all over the world, but it would appear the stash of exploits primarily benefited one nation before they were inadvertently dumped into the public domain. Do the net gains in national security outweigh the losses sustained worldwide? I'd like to see the NSA run the numbers on that.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: exploits, malware, nsa, online security, vulnerabilities