UPnProxy and 'EternalSilence' being used to exploit routers
CERT NZ is aware of an active exploitation of routers with vulnerable UPnP implementations. This attack appears to be targeting devices with SMB services behind those routers.
Attackers are using a technique called UPnProxy. This technique exploits vulnerabilities in the Universal Plug and Play services installed on some routers. This allows attackers to alter the device's network address translation (NAT) tables. Attackers are inserting special rules into routers NAT tables, allowing them to remotely connect to SMB ports 139 and 445 of devices located behind the router.
This vulnerability is being exploited in a family of infections referred to as ‘EternalSilence’. These new attacks are believed to be leveraging the Eternal family of exploits, which were used in the WannaCry and NotPetya campaigns.
It’s unclear what the attackers’ intentions are. In previous cases where SMB services have been targeted, attacks such as ransomware and data exfiltration have been carried out.
According to Akamai, there are currently 45,113 known exploited routers worldwide.
What this means
If an attacker is able to insert NAT rules on your router, then they can expose internal services to the internet, to be able to launch attacks directly against those services, from anywhere in the world.
What to look for
How to tell if you're at risk
If your router has UPnP enabled and port 1900 is available from the internet, you are likely to be at risk.
Most known affected devices are consumer-grade network hardware. A list of known exploited brands and models is available at the end of this report:
Akamai whitepaper External Link
Other brands or models may be vulnerable, even if they are not on that list.
How to tell if you're affected
Due to the nature of this vulnerability and the way it’s being exploited, it can be difficult to tell if you’ve been affected.
The researchers of the vulnerability recommend scanning endpoints and auditing entries into your NAT tables.
What to do
If your router is vulnerable to this attack, CERT NZ recommends taking the following steps:
- disable UPnP services on the router. Note: this may affect functionality of devices on your network, or
- configure your firewall to block port 1900 from the internet. This would prevent any new rules from being added from the internet, while still allowing your internal network to make use of UPnP.
If the above mitigations are not possible, replace the router with one that isn’t vulnerable to this type of attack, or will allow for these preventions to be configured.
In all cases, we recommend updating your routers firmware.
If your router has been exploited, you will also need to remove the NAT rules that had been added. This might involve rebooting the router or reinstalling the router firmware.
For further information:
- Akamai whitepaper on the UPnP vulnerability External Link
- Akamai blog on the exploitation of this vulnerability External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media queries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.