Skip to main content

EternalSilence UPnP Exploit

EternalSilence is a newly observed attack methodology that targets routers with vulnerable implementations of Universal Plug and Play (UPnP), specifically those that expose their Internet Gateway Device (IGD) controls to the Internet.

Threat ID:
CC-2830
Category:
Threat Severity:
Medium
Threat Vector:
Published:
6 December 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

EternalSilence is a newly observed attack methodology that targets routers with vulnerable implementations of Universal Plug and Play (UPnP), specifically those that expose their Internet Gateway Device (IGD) controls to the Internet.

Threat details

At the time of publication, the objective of the attack is believed to be to open networks to further exploitation by EternalBlue and EternalRed, a variant of EternalBlue that targets Linux devices. At the time of publication, approximately 8% of all publicly-reachable UPnP configurations are considered to be vulnerable

The threat actors operating the EternalSilence campaign are scanning the internet for vulnerable routers to attack. Once identified, they inject commands that force the routers to open Server Message Block (SMB) ports 139 and 445 on connected devices, leaving them exposed to the EternalBlue and EternalRed exploits.

Remediation

To prevent an attack, users and administrators should ensure that:

  • Routers are kept up-to-date.
  • SMB is kept up-to-date or disabled if not used.
  • UPnP is disabled if not used.
  • Regular vulnerability scans are performed.

Remediation steps

Type Step

To prevent an attack, users and administrators should ensure that:

  • Routers are kept up-to-date.
  • SMB is kept up-to-date or disabled if not used.
  • UPnP is disabled if not used.
  • Regular vulnerability scans are performed.

Last edited: 17 February 2020 12:58 pm