Thursday, March 28, 2024

UPnProxy – A Dubbed NSA Hacking Tool of EternalSilence Vulnerable to Attack 277,000 UPnP Enabled Routers

New research reveals that  Universal Plug and Play (UPnP) implemented 277,000 Connected Devices are vulnerable to malicious proxy system UPnProxy , a dubbed EternalSilence NSA hacking tool arsenal.

UPnP is a feature that allows the devices on your network to discover each other and allow to access certain services. Often, this is used for streaming media between devices on a network.

Currently, a pool of 3.5 million connected devices are using UPnP and among these devices, more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign.

Attackers abusing the UPnP system and creating a malicious proxy system called UPnProxy that helps attacker s to reroute the original traffic landing into malicious services such as spam, phishing, click fraud, and DDoS.

It mainly affected the home routers that leads to infect with malware, ransomware and others infections.

Malicious UPnProxy initially discovered by researchers at Akamai and they have dubbed Eternal Silence which is derived from port mapping descriptions and the researchers believed that it leveraging the exploits from NSA Eternal family.

According to Akamai, Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We’ve reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don’t know if a machine was assigned that IP at the time of the injection.

Attack Process

Attack leveraging NSA’s Eternal family of exploits using this EternalSilence campaign which is confirmed by an observation of millions of successful injections attempting in order to expose the millions of SMB running services.

In this case, 2 powerful NSA exploits, EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) used by attackers and utilize the static ports (TCP/2048) in order to inject SMB port forwards.

Researchers said, “This is only possible because there are millions (3.5 million) of vulnerable routers on the internet, and plenty of them (277,000) are running vulnerable implementations of UPnP that expose themselves and their IGD (Internet Gateway Device) controls on the WAN/Internet side of the router – something we addressed in our previous research.”

A larger sample of EternalSilence injections found on a single router

Also, there will not be any administrative visibility of an injected router since its difficult to detect the malicious NAT injections.

The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it’s NAT table entries, Researchers said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles