Here are another 45,000 reasons to patch Windows systems against old NSA exploits

It's 2018 and UPnP is still opening up networks - this time to leaked SMB cyber-weapons

40 Reg comments Got Tips?

Earlier this year, Akamai warned that vulnerabilities in Universal Plug'N'Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed.

Having revisited its April probing, the web cache biz has come to the conclusion that the security nightmare it dubbed “UPnProxy” is still “alive and well.”

The only way to truly secure a router from UPnProxy attacks is to reflash the hardware, clearing any attacker-injected configuration and installing patched firmware, where available. Oh, and turn UPnP off, which has been standard advice for a decade.

The problem is basically this: it's possible to send carefully crafted HTTP requests to public-facing UPnP services running on various routers to access their internal networks, or relay traffic through the gateways to other machines on the internet. With access to a home LAN, it's possible to attack and infect connected PCs and gizmos. These UPnP vulns, described here [PDF], have not been comprehensively patched.

Scanning the internet once again, Akamai found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been hijacked. The latest twist is that whoever commandeered these gateways has tried to port forward Windows file sharing aka SMB services from the internal PCs to the outside world so they can be exploited and remote-controlled by the leaked Eternal family of NSA cyber-weapons.

Patches are available for Windows to thwart attacks by EternalBlue et al: your 'doze machines should not fall for these SMB-based infections if you've been keeping up to date, though your router may been snared if you haven't disabled UPnP or patched it.


Akamai's security team explained in this blog post that a sign of infection is the appearance of “telltale routes” in the gateways' port mappings. The essay also outlined how the hackers hijacked some 45,000 routers:

  • Network scanning – the attackers either mass-scanned the internet looking for machines presenting the Simple Service Discovery Protocol (SSDP) to the world that would reveal the UPnP service, and/or they targeted devices that use a static port (TCP/2048) and path (/etc/linuxigd/gatedesc.xml) for the UPnP daemons.
  • When a vulnerable device is found, the attackers set up SMB port forwarding from the LAN to the public internet, using the router's built-in configuration web portal, so that the miscreants can reach stuff on the LAN from outside.

Here is one example of the kind of Network Address Translation (NAT) forwarding rule the attackers could inject into a vulnerable router:

{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"}

Once the miscreants have compromised a target, they then try to run the NSA-authored, Shadow Brokers-released EternalBlue (CVE-2017-0144), or the Linux variant EternalRed (CVE-2017-7494) against PCs behind the gateway to potentially hijack them.

EternalBlue has been used to infect machines since its release in April 2017, most famously in the WannaCry attacks that began in May 2017; EternalRed pwns *nix systems with a one-line Samba exploit.

Finally, the 45,000-ish hijacked routers have exposed a total of 1.7 million hosts on local networks to the public 'net via UPnProxy. So that's up to nearly two million computers the attackers may have compromised and roped into malware-controlled botnets, Akamai claimed. ®


Keep Reading

There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught

Bank on the receiving end of massive 418Gbps traffic barrage

Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai

Security biz clocked 55 million malicious login attempts on a client

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

DIY with Akamai: What to do when no one sells the servers you need? You build your own

Akamai Edge World If it looks like a hyperscaler, swims like a hyperscaler...

Akamai CEO: Playing games from the cloud? Seems too expensive to be viable right now

Akamai Edge World 'It is something we are interested in … but the economic model hasn’t worked out yet'

Akamai on dragging 'em kicking and streaming to the edge: They might be public cloud giants, but we're, er, vids in

Akamai Edge World CEO Tom Leighton pitches CDNs for enterprise

Dear hackers: If you try to pwn a website for phishing, make sure it's not the personal domain of a senior Akamai security researcher

Exclusive Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page

Crime doesn't pay? Crime doesn't do secure coding, either: Akamai bug-hunters find hijack hole in bank phishing kit

Exclusive Absolutely criminal behavior – unrestricted file upload, really?

Biting the hand that feeds IT © 1998–2020