Alarming Eternal Silence UPnP Exploit Exposes 1.7 Million Devices To Wi-Fi Zombie Attacks
While the intended functionality of UPnP may be convenient, security suffers as a result. UPnP has left routers and millions of connected devices open to various vulnerabilities over the years since its release.
Many UPnP-enabled devices expose services on their wide area network (WAN) interface, leaving them vulnerable to remote network address translation (NAT) injection. According to the Akamai researchers, attackers have taken advantage of this vulnerability to inject internet-routable hosts into the NAT tables of at least 45,000 of the 277,000 routers vulnerable to this form of attack.
However, the researchers recently discovered and revealed a new way in which attackers are leveraging UPnProxy. They found a new family of injections that attempt to expose the TCP ports 139 and 445 on devices behind the compromised routers, giving attackers network access to the connected devices. The attackers seem to be making use of this network access by attempting to compromise the connected devices by way of the EternalBlue and EternalRed exploits.
EternalBlue impacts Windows devices and has been used to launch devastating attacks, such as WannaCry and NotPetya, even after patches were released. EternalRed, on the other hand, targets Linux-based devices by way of Samba and has been used in a number of attacks, garnering the name SambaCry. While there are patches for both of these exploits, some devices still remain vulnerable, and the researchers have discovered a total of 1.7 million devices connected to compromised routers.
The researchers have named this new family of malicious injections Eternal Silence, drawing on the use of the Eternal family of exploits and the words “galleta silenciosa,” meaning “silent cookie” in Spanish, contained in the new rulesets.
The research team’s original white paper contains a list of almost 400 vulnerable router models, with ASUS and ipTIME having the largest number. Those looking to check their routers for the presence of UPnProxy and EternalSilence can find a bash script used for auditing router NAT table entries, as well as additional information, on Akamai’s blog post.