‘Eternal Silence,’ a malicious campaign, is leveraging Universal Plug and Play (UPnP), which converts the router into a proxy server used to conduct malicious cyberattacks while concealing the threat actors’ location. UPnP, a connectivity protocol, allows other devices on a network to generate port forwarding rules on a router automatically. It is optionally accessible in most current routers. This allows remote devices to access a certain software function or device as needed, with little user setup.
However, it is another technology that compromises security for convenience, mainly when the UPnP implementation is subject to attacks that allow remote actors to add UPnP port-forwarding entries over a device’s exposed WAN connection. Akamai researchers discovered attackers using this issue to develop proxies that disguise their harmful activities, dubbed UPnProxy. 277,000 of the 3,500,000 UPnP routers detected online are susceptible to UPnProxy, with 45,113 already infiltrated by hackers.
According to Akamai’s experts, the perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems. Exploiting these vulnerabilities can result in various issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that swiftly spread throughout whole corporate networks, or gaining early access to corporate networks. Although Akamai is unaware of the campaign’s success rate, it did notice a systematic approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to insert port forwards.
“Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren’t exposed directly to the internet. They were in a relatively safe harbor living behind the NAT,” explains Akamai’s report.
“The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits.”
‘Eternal Silence’ is a sophisticated attack since it renders network segmentation ineffective and provides no sign of what is going on with the target. Scanning all endpoints and auditing the NAT table entries is the best technique to see if your devices have been captured.
There are various methods to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. Disabling UPnP won’t erase existing NAT injections if you’ve found a device infected with Eternal Silence. Users will have to reset or flash the device instead. Applying the most recent firmware update should also be a top priority since the device maker may have resolved any UPnP implementation problems through a security upgrade.
