Home
 » ISP News » 
Sponsored

More Broadband Routers Exposed to NSA Based UPnP Exploit

Friday, November 30th, 2018 (10:50 am) - Score 3,825
security of broadband isp routers

A new report from internet content network Akamai has warned that broadband routers from many different manufacturers (e.g. Asus, NETGEAR, D-Link, Ubiquiti etc.), specifically those that haven’t patched some old Universal Plug and Play (UPnP) vulnerabilities, are being targeted in order to spread the EternalBlue malware.

Weak or un-patched implementations of UPnP have long been a thorn in the side of many routers. The protocol was essentially designed to enable home networks to seamlessly connect with other devices, which makes the end-users life a lot easier and avoids much of the fiddly network setups that were previously only familiar to more advanced users.

Earlier this year, Akamai researchers noted how UPnP was being abused by attackers to conceal traffic (see the white paper), which infected and hijacked routers in order to create a malicious proxy system called UPnProxy. The new system could then be abused to support mass email SPAM, DDoS attacks and related botnets.

The CDN provider claims that there are currently 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Unfortunately the latest report notes that a new variant of UPnProxy has been spotted, which is helping to spread the EternalBlue (aka – EternalRed on Linux) malware. So far some 45,113 devices have been compromised by the widely distributed UPnP NAT injection campaign.

EternalBlue was originally developed in the USA by the National Security Agency (NSA), but the code was later stolen and leaked to the internet. All of this is bad news for anybody who is running a vulnerable router (once this is compromised, so too is your whole network and everything it connects to), particularly if it’s no longer supported or hasn’t been patched with updated firmware to fix the UPnP flaws.

Akamai Statement

These numbers are subject to change as the attackers continue to scan for new machines to compromise. While some of the campaigns observed in the original research have since disappeared, a new campaign of injections has been discovered.

In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.

For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised.

Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.

Normally, the NewPortMappingDescription field on your router would state something like “Skype” for legitimate injections, but in UPnProxy campaigns this field is also attacker controlled. The new rulesets discovered by Akamai all contain “galleta silenciosa” (silent cookie/cracker) in Spanish. These sets of injections attempt to expose the TCP ports 139 and 445 on devices behind the router.

What’s the Solution?

Obviously it’s wise to disable UPnP, although this could cause some connectivity problems with devices in your network (experiences will vary as not all UPnP implementations are the same), although this might be the best option if you own one of the devices noted in Akamai’s white paper – linked above (the list is too long to paste here). After that you should check if a new firmware is available from the manufacturer’s website and update.

On the other hand if you’ve already been infected then simply disabling UPnP won’t be enough, you’ll need to consider doing a factory (hardware) reset and then updating the firmware. If at this point you find that no new firmware is available then you’ll have no option but to leave UPnP permanently disabled (or buy a new / modern router).

Unfortunately all of this will become rather more complex if the malware has managed to spread on to other computers/devices within your network. Hopefully you’ll be running up-to-date anti-virus software and firewalls on those to help prevent such an outcome (you could also block TCP ports 139 and 445) but many modern “smart” devices are rather lacklustre in this department.

Delicious
Add to Diigo
Tags:
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he is also the founder of ISPreview since 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
3 Responses
  1. Martin O'Donnell

    Linksys hasnt updated my top of the range EA9500 for over a year now, very disapointed, wont buy Linksys again!

    • Simon

      Most Cisco and Cisco Linksys routers are riddled with NSA backdoors in any case. EA9500 is currently WIP for DD-WRT, personally, I’d flash it with that as soon as its available.

    • S Wakeman

      It doesn’t seem acceptable that a high-end consumer networking product can have a bevy of known security issues and the only solution be the user flashing it with an open source firmware. Most consumers of even high end products are not technically savvy enough to even be aware of the vulnerabilities, let alone flash their device.

      There surely needs to be some kind of industry-wide legislation that mandates companies provide, at the very minimum, security patches for all products a same family chipset varients of products currently offered plus minimum 5 years of updates for discontinued and EOL products.

      Some of these devices cost hundreds. For them to be sold with critical security vulnerabilities is unacceptable and bordering on immoral.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £18.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: CHRISTMAS18
  • Onestream £19.95 (*34.99)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.50
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
  • Vodafone £23.00 (*25.00)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (2290)
  2. FTTP (1755)
  3. FTTC (1521)
  4. Broadband Delivery UK (1491)
  5. Openreach (1234)
  6. Politics (1228)
  7. Business (1093)
  8. Statistics (965)
  9. Mobile Broadband (886)
  10. Fibre Optic (881)
  11. FTTH (819)
  12. Ofcom Regulation (814)
  13. Wireless Internet (807)
  14. 4G (769)
  15. Virgin Media (743)
  16. Sky Broadband (546)
  17. TalkTalk (525)
  18. EE (510)
  19. Vodafone (399)
  20. Security (371)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules