Researchers from Akamai have spotted a malicious campaign, tracked as ‘Eternal Silence,’ that is abusing Universal Plug and Play (UPnP) to turn routers into a proxy server used to carry out a broad range of malicious activities anonymously.
Universal Plug and Play (UPnP) is a set of networking protocols that allows networked devices to seamlessly discover each other’s presence on the network and establish functional network services.
In April 2018, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy. In December 2018, the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy was still up and running.
The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.
The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.
Abusing the protocol attackers can control the traffic in and out of the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment. The malicious botnet uncovered by Akamai was composed of vulnerable devices, including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.
Experts recommend users installing routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.
Recently Akamai experts discovered a new family of injections, which they’ve dubbed Eternal Silence. The name EternalSilence comes from port mapping descriptions left by the attackers.
The experts believe that threat actors behind the campaign leveraged EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits on unpatched Windows and Linux systems, respectively.
The researchers discovered new rulesets, affecting over 45,000 routers, all containing ‘galleta silenciosa’ or ‘silent cookie/cracker’ in Spanish. These sets of injections were used to expose the TCP ports 139 and 445 on devices behind the router.
{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "192.168.10.212",
"NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"}
“Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We’ve reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don’t know if a machine was assigned that IP at the time of the injection.” reads the analysis published by Akamai. “Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse.”
The attackers could exploit the above vulnerabilities to carry out crypto-mining campaigns, ransomware attacks, or worm-like attacks that rapidly spread to entire corporate networks.
“This shotgun approach may be working too, because there is a decent possibility that machines unaffected by the first round of EternalBlue and EternalRed attacks (that may have remained unpatched) were safe only because they weren’t exposed directly to the internet. They were in a relatively safe harbor living behind the NAT.” continues Akamai. “The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits.”
Experts pointed out that it is quite difficult to detect ‘Eternal Silence’ attacks.
It is not easy for administrators to detect malicious NAT injections, because of the lack of visibility into them on an injected router. The UPnP protocol itself is designed to let machines automatically request NAT/port forwarding capabilities from the Internet Gateway Device (IGD) operated by the router. Researchers recommend carefully inspecting these rules requires the use of UPnP tool sets, device scanning, and manual rule inspection to achieve some level of detection.
Akamai released the following bash script that administrators can allow to dump UPnP NAT entries.
Owners of devices compromised with Eternal Silence need to reset or flash the device. Experts explained that disabling UPnP might not clear existing NAT injections.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Eternal Silence)
[adrotate banner=”5″]
[adrotate banner=”13″]