Saturday, April 13, 2024

UPnProxy – A Dubbed NSA Hacking Tool of EternalSilence Vulnerable to Attack 277,000 UPnP Enabled Routers

New research reveals that  Universal Plug and Play (UPnP) implemented 277,000 Connected Devices are vulnerable to malicious proxy system UPnProxy , a dubbed EternalSilence NSA hacking tool arsenal.

UPnP is a feature that allows the devices on your network to discover each other and allow to access certain services. Often, this is used for streaming media between devices on a network.

Currently, a pool of 3.5 million connected devices are using UPnP and among these devices, more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign.

Attackers abusing the UPnP system and creating a malicious proxy system called UPnProxy that helps attacker s to reroute the original traffic landing into malicious services such as spam, phishing, click fraud, and DDoS.

It mainly affected the home routers that leads to infect with malware, ransomware and others infections.

Malicious UPnProxy initially discovered by researchers at Akamai and they have dubbed Eternal Silence which is derived from port mapping descriptions and the researchers believed that it leveraging the exploits from NSA Eternal family.

According to Akamai, Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We’ve reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don’t know if a machine was assigned that IP at the time of the injection.

Attack Process

Attack leveraging NSA’s Eternal family of exploits using this EternalSilence campaign which is confirmed by an observation of millions of successful injections attempting in order to expose the millions of SMB running services.

In this case, 2 powerful NSA exploits, EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) used by attackers and utilize the static ports (TCP/2048) in order to inject SMB port forwards.

Researchers said, “This is only possible because there are millions (3.5 million) of vulnerable routers on the internet, and plenty of them (277,000) are running vulnerable implementations of UPnP that expose themselves and their IGD (Internet Gateway Device) controls on the WAN/Internet side of the router – something we addressed in our previous research.”

A larger sample of EternalSilence injections found on a single router

Also, there will not be any administrative visibility of an injected router since its difficult to detect the malicious NAT injections.

The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it’s NAT table entries, Researchers said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles