UPnProxy and 'EternalSilence' being used to exploit routers

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:30pm, 30 November 2018

TLP Rating: Clear

UPnProxy and 'EternalSilence' being used to exploit routers

CERT NZ is aware of an active exploitation of routers with vulnerable UPnP implementations. This attack appears to be targeting devices with SMB services behind those routers.

Attackers are using a technique called UPnProxy. This technique exploits vulnerabilities in the Universal Plug and Play services installed on some routers. This allows attackers to alter the device's network address translation (NAT) tables. Attackers are inserting special rules into routers NAT tables, allowing them to remotely connect to SMB ports 139 and 445 of devices located behind the router.

What's happening

Systems affected

This vulnerability is being exploited in a family of infections referred to as ‘EternalSilence’. These new attacks are believed to be leveraging the Eternal family of exploits, which were used in the WannaCry and NotPetya campaigns.

It’s unclear what the attackers’ intentions are. In previous cases where SMB services have been targeted, attacks such as ransomware and data exfiltration have been carried out.

According to Akamai, there are currently 45,113 known exploited routers worldwide. 

What this means

If an attacker is able to insert NAT rules on your router, then they can expose internal services to the internet, to be able to launch attacks directly against those services, from anywhere in the world.

What to look for

How to tell if you're at risk

If your router has UPnP enabled and port 1900 is available from the internet, you are likely to be at risk.

Most known affected devices are consumer-grade network hardware. A list of known exploited brands and models is available at the end of this report: 
Akamai whitepaper External Link

Other brands or models may be vulnerable, even if they are not on that list. 

How to tell if you're affected

Due to the nature of this vulnerability and the way it’s being exploited, it can be difficult to tell if you’ve been affected.

The researchers of the vulnerability recommend scanning endpoints and auditing entries into your NAT tables.

Further information is available from the Akamai website External Link

What to do

Prevention

If your router is vulnerable to this attack, CERT NZ recommends taking the following steps:

  • disable UPnP services on the router. Note: this may affect functionality of devices on your network, or
  • configure your firewall to block port 1900 from the internet. This would prevent any new rules from being added from the internet, while still allowing your internal network to make use of UPnP.

If the above mitigations are not possible, replace the router with one that isn’t vulnerable to this type of attack, or will allow for these preventions to be configured.

In all cases, we recommend updating your routers firmware.

Mitigation

If your router has been exploited, you will also need to remove the NAT rules that had been added. This might involve rebooting the router or reinstalling the router firmware.

More information

For further information:

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384