Around 45,000 routers were compromised using a UPnP NAT injection attack which targets SMB services according to an Akamai SITR report.
The attackers use a malicious proxy system dubbed UPnProxy which previously was employed by bad actors at the beginning of 2018 to route traffic in spam, click fraud, DDoS, or phishing campaigns.
On November 7, Akamai's researchers discovered that the UPnProxy vulnerability which affects around 277,000 devices out of a total of 3.5 million potential victims was already used to compromise roughly 45,000 routers in an extensive campaign.
However, this time, Akamai's research found that the threat group behind the UPnProxy campaign is using a previously theoretical attack which would allow attackers to exploit computers behind compromised Internet routers.
The new type of attacks utilizes a family of injections named EternalSilence which expose the 139 and 445 TCP ports to the Internet on router-shielded devices and are believed to employ NSA leaked Eternal exploits to compromise their targets.
As discovered by Akamai, the threat group which employs EternalSilence is trying to infiltrate millions of machines users believe are protected by routers that were already compromised by leveraging the EternalBlue and EternalRed SMB and Samba exploits.
The EternalSilence vulnerability exposes previously protected devices to SMB service attacks
"Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers," said Akamai in their analysis. "We've reached this conclusion by logging the number of unique IPs exposed per router, and then added them up."
The EternalBlue exploit has been successfully used by countless malware campaigns to compromise Windows computers and launch WannaCry, Petya, and NotPetya attacks on other machines.
Moreover, the EternalRed exploit is used by adversaries to attack Linux machines running vulnerable Samba installations, subsequently infecting them with crypto-mining malware.
Akamai concluded that "The goal here isn't a targeted attack. It's an attempt at leveraging tried and true off the shelf exploits, casting a wide net into a relatively small pond, in the hopes of scooping up a pool of previously inaccessible devices."
Furthermore, because hackers can now target machines vulnerable to EternalBlue and EternalRed attacks which were previously protected by routers, an entirely new batch of simple to compromise devices are exposed to these two NSA exploits.