A Quarter Million Devices Vulnerable to UPnProxy Botnet
More than 270,000 Internet-connected devices run vulnerable implementations of UPnP and are susceptible to becoming part of a multi-purpose botnet, Akamai says.
Dubbed UPnProxy, the botnet was first detailed in April this year, when it had infected around 65,000 devices. At the moment, there are more than 45,000 devices confirmed to have been compromised in the widely distributed UPnP NAT injection campaign.
The UPnP protocol was designed to allow for better communication between devices on a LAN, but has been known to be vulnerable for more than a decade. Vulnerable implementations may expose services that are privileged and meant to only be used by trusted devices on a local arear network (LAN).
According to Akamai, there are 3.5 million potentially vulnerable devices around the world, with 277,000 of them vulnerable to UPnProxy. The botnet has infected at least 45,000 devices so far, but the attackers continue to scan for more machines to compromise. Akamai’s security researchers also say a new campaign of injections has been recently discovered.
Previously, the security researchers pointed out that attackers could leverage UPnProxy to exploit systems behind the compromised routers, and it appears that this is already happening.
“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised,” Akamai notes.
The security researchers also explain that the services being exposed in this campaign have a history of exploitation in campaigns targeting both Windows and Linux platforms: the TCP ports 139 and 445.
The campaign, which Akamai refers to as EternalSilence, is apparently looking to compromise “millions of machines living behind the vulnerable routers by leveraging the EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits.”
The new family of injections was discovered on November 7, but the researchers say they couldn’t see the final payloads, so they cannot say what happens after a machine is successfully compromised. Possible attack scenarios, however, include ransomware, backdoors, and other types of malware.
After logging the unique IPs exposed per device, the researchers determined that the 45,113 routers confirmed to contain the injections expose a total of 1.7 million unique machines to the attackers, the security researchers explain.
“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” Akamai points out.
The attacks, the researchers say, appear to be opportunistic. The actor is likely scanning the entire Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.
This shotgun approach to blindly inject SMB port forwards might be working, as there might be machines not impacted by the first round of EternalBlue and EternalRed attacks because they were not directly exposed to the Internet, but hidden behind the NAT. The EternalSilence attacks remove the NAT protections and expose the machines to the old exploits.