UPnP  - UPnP - Over 65,000 Vulnerable Routers Abused by Multi-purpose Botnet

Attackers abuse the Universal Plug and Play (UPnP) protocol that comes with routers and uses the devices to create a powerful proxy network to effectively hide the origin location of the traffic origin.

It appears attackers used this multi-purpose proxy to launch various attacks such as DDoS, Account take over, Credit Card Fraud, Click Fraud, Spamming, and Phishing.

UPnP is a service that makes’s the connectivity ease, it allows devices to expose connection and service automatically to other devices connected to the local network.

Akamai published the report on how the UPnP-enabled devices detected as participants in attacks, “we discovered that some devices appeared to be more susceptible to this vulnerability than others, and contained malicious NAT injections”.

How Attackers leverage UPnP Vulnerability

Attackers obtain required information to connect with TCP-enabled UPnP daemon through SSDP probe response and by modifying local IP address to public IP address allows the attacker to establish the connection with UPnP daemon.

Now can inject bypassing local firewall to access the access the Internal IP address beyond the router or pointing the router itself to the IP or domain that presented outside of the LAN network.

UPnP  - Router 2 - Over 65,000 Vulnerable Routers Abused by Multi-purpose Botnet

According to Akamai “In initial Internet-wide scans, over 4.8 million devices were found to be to simple UDP SSDP (the UDP portion of UPnP) inquiries. Of these, roughly 765,000 (16% of total) of the identified devices were confirmed to also expose their TCP implementations. Over 65,000 (9% of , 1.3% of total) of these devices were discovered to have NAT injections”.

By having a widely distributed Multilayer proxy network that comprises encrypted and millions of unique IP address around the world the botnet authors post a tremendous challenge for investigations.

UPnP  - Router 1 - Over 65,000 Vulnerable Routers Abused by Multi-purpose Botnet

Researchers said there is no easy way for a human to audit or modify them on the devices themselves and the best way is to audit your NAT table entries.

A wide range of the devices affected by this vulnerability that covers 73 brands/manufacturers and close to 400 models. The possible mitigation is to replace the device or to disable vulnerable UPnP services.

Source link


Please enter your comment!
Please enter your name here