Connect with us

Hi, what are you looking for?


Malware & Threats

Hackers Using NSA Hacking Tools to Build Botnet

A Quarter Million Devices Vulnerable to UPnProxy Botnet

More than 270,000 Internet-connected devices run vulnerable implementations of UPnP and are susceptible to becoming part of a multi-purpose botnet, Akamai says. 

A Quarter Million Devices Vulnerable to UPnProxy Botnet

More than 270,000 Internet-connected devices run vulnerable implementations of UPnP and are susceptible to becoming part of a multi-purpose botnet, Akamai says. 

Dubbed UPnProxy, the botnet was first detailed in April this year, when it had infected around 65,000 devices. At the moment, there are more than 45,000 devices confirmed to have been compromised in the widely distributed UPnP NAT injection campaign.

The UPnP protocol was designed to allow for better communication between devices on a LAN, but has been known to be vulnerable for more than a decade. Vulnerable implementations may expose services that are privileged and meant to only be used by trusted devices on a local arear network (LAN).

According to Akamai, there are 3.5 million potentially vulnerable devices around the world, with 277,000 of them vulnerable to UPnProxy. The botnet has infected at least 45,000 devices so far, but the attackers continue to scan for more machines to compromise. Akamai’s security researchers also say a new campaign of injections has been recently discovered. 

Previously, the security researchers pointed out that attackers could leverage UPnProxy to exploit systems behind the compromised routers, and it appears that this is already happening. 

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised,” Akamai notes

Advertisement. Scroll to continue reading.

The security researchers also explain that the services being exposed in this campaign have a history of exploitation in campaigns targeting both Windows and Linux platforms: the TCP ports 139 and 445.

The campaign, which Akamai refers to as EternalSilence, is apparently looking to compromise “millions of machines living behind the vulnerable routers by leveraging the EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits.” 

The new family of injections was discovered on November 7, but the researchers say they couldn’t see the final payloads, so they cannot say what happens after a machine is successfully compromised. Possible attack scenarios, however, include ransomware, backdoors, and other types of malware. 

After logging the unique IPs exposed per device, the researchers determined that the 45,113 routers confirmed to contain the injections expose a total of 1.7 million unique machines to the attackers, the security researchers explain. 

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” Akamai points out. 

The attacks, the researchers say, appear to be opportunistic. The actor is likely scanning the entire Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons. 

This shotgun approach to blindly inject SMB port forwards might be working, as there might be machines not impacted by the first round of EternalBlue and EternalRed attacks because they were not directly exposed to the Internet, but hidden behind the NAT. The EternalSilence attacks remove the NAT protections and expose the machines to the old exploits. 

Related: Multi-Purpose Proxy Botnet Ensnares 65,000 Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.