3:30PM, 30 Nov 2018

TLP Rating: White

UPnProxy and 'EternalSilence' being used to exploit routers

CERT NZ is aware of an active exploitation of routers with vulnerable UPnP implementations. This attack appears to be targeting devices with SMB services behind those routers.

Attackers are using a technique called UPnProxy. This technique exploits vulnerabilities in the Universal Plug and Play services installed on some routers. This allows attackers to alter the device's network address translation (NAT) tables. Attackers are inserting special rules into routers NAT tables, allowing them to remotely connect to SMB ports 139 and 445 of devices located behind the router.