3:30pm, 30 Nov 2018
TLP Rating: White
UPnProxy and 'EternalSilence' being used to exploit routers
CERT NZ is aware of an active exploitation of routers with vulnerable UPnP implementations. This attack appears to be targeting devices with SMB services behind those routers.
Attackers are using a technique called UPnProxy. This technique exploits vulnerabilities in the Universal Plug and Play services installed on some routers. This allows attackers to alter the device's network address translation (NAT) tables. Attackers are inserting special rules into routers NAT tables, allowing them to remotely connect to SMB ports 139 and 445 of devices located behind the router.