Hacking

Hundreds of thousands of routers exposed to Eternal Silence campaign via UPnP

A hacking campaign, tracked as Eternal Silence, is abusing UPnP to compromise routers and use them to carry out malicious activities.

Researchers from Akamai have spotted a malicious campaign, tracked as ‘Eternal Silence,’ that is abusing Universal Plug and Play (UPnP) to turn routers into a proxy server used to carry out a broad range of malicious activities anonymously.

Universal Plug and Play (UPnP) is a set of networking protocols that allows networked devices to seamlessly discover each other’s presence on the network and establish functional network services.

In April 2018, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  In December 2018, the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy was still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out of the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment. The malicious botnet uncovered by Akamai was composed of vulnerable devices, including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users installing routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

Recently Akamai experts discovered a new family of injections, which they’ve dubbed Eternal Silence. The name EternalSilence comes from port mapping descriptions left by the attackers.

The experts believe that threat actors behind the campaign leveraged EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits on unpatched Windows and Linux systems, respectively.

The researchers discovered new rulesets, affecting over 45,000 routers, all containing ‘galleta silenciosa’ or ‘silent cookie/cracker’ in Spanish. These sets of injections were used to expose the TCP ports 139 and 445 on devices behind the router.

{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "192.168.10.212",

"NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"}

“Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We’ve reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don’t know if a machine was assigned that IP at the time of the injection.” reads the analysis published by Akamai. “Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse.”

The attackers could exploit the above vulnerabilities to carry out crypto-mining campaigns, ransomware attacks, or worm-like attacks that rapidly spread to entire corporate networks.

“This shotgun approach may be working too, because there is a decent possibility that machines unaffected by the first round of EternalBlue and EternalRed attacks (that may have remained unpatched) were safe only because they weren’t exposed directly to the internet. They were in a relatively safe harbor living behind the NAT.” continues Akamai. “The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits.”

Experts pointed out that it is quite difficult to detect ‘Eternal Silence’ attacks.

It is not easy for administrators to detect malicious NAT injections, because of the lack of visibility into them on an injected router. The UPnP protocol itself is designed to let machines automatically request NAT/port forwarding capabilities from the Internet Gateway Device (IGD) operated by the router. Researchers recommend carefully inspecting these rules requires the use of UPnP tool sets, device scanning, and manual rule inspection to achieve some level of detection.

Akamai released the following bash script that administrators can allow to dump UPnP NAT entries.

Owners of devices compromised with Eternal Silence need to reset or flash the device. Experts explained that disabling UPnP might not clear existing NAT injections.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Eternal Silence)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

49 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.