More Broadband Routers Exposed to NSA Based UPnP Exploit

A new report from internet content network Akamai has warned that broadband routers from many different manufacturers (e.g. Asus, NETGEAR, D-Link, Ubiquiti etc.), specifically those that haven’t patched some old Universal Plug and Play (UPnP) vulnerabilities, are being targeted in order to spread the EternalBlue malware.

Weak or un-patched implementations of UPnP have long been a thorn in the side of many routers. The protocol was essentially designed to enable home networks to seamlessly connect with other devices, which makes the end-users life a lot easier and avoids much of the fiddly network setups that were previously only familiar to more advanced users.

Earlier this year, Akamai researchers noted how UPnP was being abused by attackers to conceal traffic (see the white paper), which infected and hijacked routers in order to create a malicious proxy system called UPnProxy. The new system could then be abused to support mass email SPAM, DDoS attacks and related botnets.

The CDN provider claims that there are currently 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Unfortunately the latest report notes that a new variant of UPnProxy has been spotted, which is helping to spread the EternalBlue (aka – EternalRed on Linux) malware. So far some 45,113 devices have been compromised by the widely distributed UPnP NAT injection campaign.

EternalBlue was originally developed in the USA by the National Security Agency (NSA), but the code was later stolen and leaked to the internet. All of this is bad news for anybody who is running a vulnerable router (once this is compromised, so too is your whole network and everything it connects to), particularly if it’s no longer supported or hasn’t been patched with updated firmware to fix the UPnP flaws.

Akamai Statement

These numbers are subject to change as the attackers continue to scan for new machines to compromise. While some of the campaigns observed in the original research have since disappeared, a new campaign of injections has been discovered.

In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.

For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised.

Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.

Normally, the NewPortMappingDescription field on your router would state something like “Skype” for legitimate injections, but in UPnProxy campaigns this field is also attacker controlled. The new rulesets discovered by Akamai all contain “galleta silenciosa” (silent cookie/cracker) in Spanish. These sets of injections attempt to expose the TCP ports 139 and 445 on devices behind the router.

What’s the Solution?

Obviously it’s wise to disable UPnP, although this could cause some connectivity problems with devices in your network (experiences will vary as not all UPnP implementations are the same), although this might be the best option if you own one of the devices noted in Akamai’s white paper – linked above (the list is too long to paste here). After that you should check if a new firmware is available from the manufacturer’s website and update.

On the other hand if you’ve already been infected then simply disabling UPnP won’t be enough, you’ll need to consider doing a factory (hardware) reset and then updating the firmware. If at this point you find that no new firmware is available then you’ll have no option but to leave UPnP permanently disabled (or buy a new / modern router).

Unfortunately all of this will become rather more complex if the malware has managed to spread on to other computers/devices within your network. Hopefully you’ll be running up-to-date anti-virus software and firewalls on those to help prevent such an outcome (you could also block TCP ports 139 and 445) but many modern “smart” devices are rather lacklustre in this department.