Alarming Eternal Silence UPnP Exploit Exposes 1.7 Million Devices To Wi-Fi Zombie Attacks
Back in 2018, a team of security researchers from Akamai released a white paper detailing a malicious proxy system they dubbed UPnProxy that is now being leveraged in a new attack. The malicious proxy system draws its name from Universal Plug and Play (UPnP), which is a set of networking protocols that enables devices on a network to more easily connect with one another and establish functional network services by automatically creating port forwarding rules on a router.
While the intended functionality of UPnP may be convenient, security suffers as a result. UPnP has left routers and millions of connected devices open to various vulnerabilities over the years since its release.
Many UPnP-enabled devices expose services on their wide area network (WAN) interface, leaving them vulnerable to remote network address translation (NAT) injection. According to the Akamai researchers, attackers have taken advantage of this vulnerability to inject internet-routable hosts into the NAT tables of at least 45,000 of the 277,000 routers vulnerable to this form of attack.
While the intended functionality of UPnP may be convenient, security suffers as a result. UPnP has left routers and millions of connected devices open to various vulnerabilities over the years since its release.
Many UPnP-enabled devices expose services on their wide area network (WAN) interface, leaving them vulnerable to remote network address translation (NAT) injection. According to the Akamai researchers, attackers have taken advantage of this vulnerability to inject internet-routable hosts into the NAT tables of at least 45,000 of the 277,000 routers vulnerable to this form of attack.
These attacks turn the routers into functional proxies, which have been chained together into two distinct networks, as can be seen in the network map above. The researchers postulated that these malicious proxy networks have been used to conceal spamming, phishing, click and credit card fraud, DDoS attacks, botnets, and malware distribution.
However, the researchers recently discovered and revealed a new way in which attackers are leveraging UPnProxy. They found a new family of injections that attempt to expose the TCP ports 139 and 445 on devices behind the compromised routers, giving attackers network access to the connected devices. The attackers seem to be making use of this network access by attempting to compromise the connected devices by way of the EternalBlue and EternalRed exploits.
EternalBlue impacts Windows devices and has been used to launch devastating attacks, such as WannaCry and NotPetya, even after patches were released. EternalRed, on the other hand, targets Linux-based devices by way of Samba and has been used in a number of attacks, garnering the name SambaCry. While there are patches for both of these exploits, some devices still remain vulnerable, and the researchers have discovered a total of 1.7 million devices connected to compromised routers.
The researchers have named this new family of malicious injections Eternal Silence, drawing on the use of the Eternal family of exploits and the words “galleta silenciosa,” meaning “silent cookie” in Spanish, contained in the new rulesets.
The research team’s original white paper contains a list of almost 400 vulnerable router models, with ASUS and ipTIME having the largest number. Those looking to check their routers for the presence of UPnProxy and EternalSilence can find a bash script used for auditing router NAT table entries, as well as additional information, on Akamai’s blog post.
However, the researchers recently discovered and revealed a new way in which attackers are leveraging UPnProxy. They found a new family of injections that attempt to expose the TCP ports 139 and 445 on devices behind the compromised routers, giving attackers network access to the connected devices. The attackers seem to be making use of this network access by attempting to compromise the connected devices by way of the EternalBlue and EternalRed exploits.
EternalBlue impacts Windows devices and has been used to launch devastating attacks, such as WannaCry and NotPetya, even after patches were released. EternalRed, on the other hand, targets Linux-based devices by way of Samba and has been used in a number of attacks, garnering the name SambaCry. While there are patches for both of these exploits, some devices still remain vulnerable, and the researchers have discovered a total of 1.7 million devices connected to compromised routers.
The researchers have named this new family of malicious injections Eternal Silence, drawing on the use of the Eternal family of exploits and the words “galleta silenciosa,” meaning “silent cookie” in Spanish, contained in the new rulesets.
The research team’s original white paper contains a list of almost 400 vulnerable router models, with ASUS and ipTIME having the largest number. Those looking to check their routers for the presence of UPnProxy and EternalSilence can find a bash script used for auditing router NAT table entries, as well as additional information, on Akamai’s blog post.
