Skip to content
Naked Security Naked Security

Router attack exploits UPnP and NSA malware to target PCs

The UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.

Researchers have found evidence that the UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.
To recap, UPnProxy is the name Akamai gave to an attack against a wide range of routers running vulnerable Universal Plug and Play (UPnP) implementations. The attack is estimated to have infected 65,000 routers from a possible target list of 3.5 million.
UPnP has long been a fat target for cybercriminals, with UPnProxy exploiting its flawed potency to turn routers into proxy servers as a way of hiding phishing, DDoS, spam, and click fraud traffic behind legitimate IP addresses.
Akamai’s latest research from early November suggests the attackers behind UPnProxy then had a light bulb moment – why not use UPnP’s port mapping to go after vulnerable computers on the LAN side of the router?
UPnProxy had evolved to do this by using the infamous EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits to target machines running Windows SMB and Linux Samba clients on ports 145 and 449.


Dubbing the new attack ‘EternalSilence’, the company has detected signs of this port mapping injection on at least 45,000 routers from a population of 277,000 still vulnerable to UPnProxy.
However, after totting up the number of IPs connected to these routers, Akamai estimates that the number of exposed computers could be as high as 1.7 million.
The final victim count would depend on how many of those computers were vulnerable to the exploits.
In theory, most computers should have been patched, but lower priority ones in businesses may not have been – on the assumption that they were not exposed to the internet because of the router’s Network Address Translation (NAT).
Writes Akamai’s Chad Seaman:

The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits.

It’s worth recalling that EternalBlue (stolen from the NSA) was first used to devastating effect during 2017’s WannaCry and NotPetya attacks, so these are not run-of-the-mill threats.

Who might be affected?

Akamai’s UPnProxy research estimated the number of router models running vulnerable UPnP to be 400 from 73 different companies. That said, the actual number of infected routers was still relatively small.
The likelihood of falling prey to UPnProxy and/or EternalSilence depends on the following factors:

So what should you do? The first step is to turn off UPnP before updating to the latest firmware version (or buying a new router) and making sure Windows or Linux patches addressing EternalBlue/EternalRed have been applied.
If a router is suspected of being infected (and that’s very difficult for a non-expert to tell) it gets more complicated because simply turning UPnP off won’t clear existing NAT injections.
In those cases, Akamai recommends resetting the router it to its factory state and initiating an update to the latest firmware version.
Checking for computers compromised by EternalSilence is trickier:

Administrators looking to try and gain an edge can scan themselves and see if they’re exposed to these vulnerabilities, including scanning their UPnP NAT table to look for oddities.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!