Your IP: Unknown · Your Status: Unprotected Protected

Blog News

The latest router malware stolen from the NSA

Dec 03, 2018 · 3 min read

The latest router malware stolen from the NSA

A new malware campaign has just been discovered that has already infected more than 45,000 home and small office routers, putting them at hackers’ mercy. The cybercriminals are using malware based on tools stolen from the NSA.

How hackers use routers to access your devices

On Thursday, Akamai, a US-based content delivery network and cloud service provider, reported that hackers are exploiting the Universal Plug and Play (UPnP) protocol to access devices hiding behind routers. UPnP is used to automatically recognize devices connected on a local network to improve gaming and media streaming. However, UPnP also hides vulnerabilities previously explored by cybercriminals.

Back in April, Akamai released a white paper explaining how hackers use UPnP to turn routers into personal proxy servers. However, now hackers have found a new way to install rules in Network Address Translation (NAT) tables, which decide how traffic is sorted from your router to the devices connected to it. They add an entry to the NAT table that they call 'galleta silenciosa’ ('silent cookie/cracker' in Spanish).

The silent cookie opens ports which give hackers access to devices that would normally be hidden by your NAT and wouldn’t be visible to other devices on the internet. Once hackers have access to your devices, they are free to install any malware they wish.

Akamai’s researchers confirmed that EternalSilence – which is what they’re calling this attack – has potentially affected 1.7 million devices. It uses a similar technique to EternalBlue (and its Linux sister – EternalRed), an NSA creation used in the massive global WannaCry and NotPetya ransomware attacks.

Check the white paper released by Akamai to make sure that your router isn’t on the list of susceptible devices. Over 50 brands, including major players like ASUS, Logitech, and Netgear, could be susceptible to this attack. If you are worried that your router has been compromised or you are using an infected device, follow these steps and protect yourself from cybercriminals.

What to do if your router is vulnerable to NAT infection

  1. If your router is on the list, it’s best to replace it with a less vulnerable one. If you cannot do so, restore its factory settings, make sure that it’s running the most up-to-date firmware, and turn off the UPnP feature. (Turning UPnP off might have an impact on your local network and might also disrupt gaming and media streaming.)
  2. If you suspect that your router might be used as a proxy server but you haven’t received any malicious software or ransomware just yet, back up your data, restore your devices to factory settings, and change your router. Alternatively, you could manually remove the NAT injections if you know how to do so, but if you continue using UPnP and your router is susceptible to such attacks, there’s no guarantee that your devices won’t be infected again.
  3. If your devices have been infected and the above options don’t work, you could deploy a firewall to block all incoming traffic to UDP port 1900. However, this is a relatively advanced fix and it would still allow hackers to use your device as a proxy server, so we do not recommend this.
  4. You cannot control what hardware and firmware are used in your office or your local cafe, so your devices might be connected to vulnerable routers and be placed at risk of being infected with malicious software. Use NordVPN to hide your IP address and be invisible to those connected to the same network.

Try NordVPN free to see how it protects your devices from all sorts of online threats!


Emily Green
Emily Green successVerified author

Emily Green is a content writer who loves to investigate the latest Internet privacy and security news. She thrives on looking for solutions to problems and sharing her knowledge with NordVPN readers and customers.


Subscribe to NordVPN blog