UPnP is a feature that allows the devices on your network to discover each other and allow to access certain services. Often, this is used for streaming media between devices on a network.
Currently, a pool of 3.5 million connected devices are using UPnP and among these devices, more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign.
Attackers abusing the UPnP system and creating a malicious proxy system called UPnProxy that helps attacker s to reroute the original traffic landing into malicious services such as spam, phishing, click fraud, and DDoS.
It mainly affected the home routers that leads to infect with malware, ransomware and others infections.
Malicious UPnProxy initially discovered by researchers at Akamai and they have dubbed Eternal Silence which is derived from port mapping descriptions and the researchers believed that it leveraging the exploits from NSA Eternal family.
According to Akamai, Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We’ve reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don’t know if a machine was assigned that IP at the time of the injection.
Attack leveraging NSA’s Eternal family of exploits using this EternalSilence campaign which is confirmed by an observation of millions of successful injections attempting in order to expose the millions of SMB running services.
In this case, 2 powerful NSA exploits, EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) used by attackers and utilize the static ports (TCP/2048) in order to inject SMB port forwards.
Researchers said, “This is only possible because there are millions (3.5 million) of vulnerable routers on the internet, and plenty of them (277,000) are running vulnerable implementations of UPnP that expose themselves and their IGD (Internet Gateway Device) controls on the WAN/Internet side of the router – something we addressed in our previous research.”
Also, there will not be any administrative visibility of an injected router since its difficult to detect the malicious NAT injections.
The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it’s NAT table entries, Researchers said.