Hackers are exploiting Universal Plug and Play (UPnP) to turn routers into a proxy server used to carry out cyber attacks

Cybersecurity specialists from Akamai reported the detection of a malicious campaign based on the abuse of Universal Plug and Play (UPnP) protocols in order to hack routers and use them for cybercriminal purposes. The campaign was identified as Eternal Silence and turns the affected routers into a proxy server part of a cybercriminal infrastructure.

It all started with a report from the same firm published in 2018, when Akamai reported that more than 65,000 home routers had been added to the UPnProxy botnet through the exploitation of a severe vulnerability in UPnP. At the time, the firm noted that more than 23 million IP addresses were vulnerable to remote code execution (RCE) via a single UDP packet, leaving nearly 7,000 versions of routers exposed to attack.

The exploitation of the protocol allows threat actors to control the traffic in and out of networks. In addition, the malicious botnet was composed of vulnerable devices, including malicious NAT injections that turn routers into proxies, which is why the botnet was identified as UPnProxy.

About Eternal Silence, experts mention that this is a family of injections that abuse a couple of vulnerabilities (CVE-2017-0144 and CVE-2017-7494) in unupdated Windows and Linux systems. These vulnerabilities are old but still affect more than 45,000 routers, and all contain the so-called “silent cookie” for exploitation. This set of injections is used for exposing TCP ports 139 and 445 on devices behind the router.

Successful exploitation of the vulnerabilities would allow threat actors to use the compromised devices as part of a botnet or else abuse their processing capabilities for cryptocurrency mining and even deploy ransomware across affected networks.

Experts recommend users to install router updates and firmware patches to contain the risk of exploitation. The report also adds that many UPnP vulnerabilities are still being exploited, making this an active security risk. In case your devices have already been compromised with Eternal Silence, it is recommended to update or restart the device to its factory settings.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.