Botnet operators and cyber-espionage groups (APTs) are abusing the Universal Plug and Play (UPnP) protocol that comes with all modern routers to proxy bad traffic and hide their real location from investigators.
In a report published on Monday, Akamai revealed that it detected bad actors abusing at least 65,000 routers to create proxy networks for various types of secret or illegal activities.
Bad actors are abusing UPnP
According to Akamai, attackers are abusing the UPnP protocol, a feature that makes it easier to interconnect local WiFi-enabled devices and forward ports and services to the Internet.
UPnP is a crucial service for most of today’s routers, but the protocol has been proven to be insecure more than a decade ago, and malware authors have abused various UPnP flaws ever since.
Akamai says it detected a new way through which bad actors have been recently abusing UPnP. Experts say that bad actors have discovered that some routers expose UPnP services meant for inter-device discovery via their WAN (external Internet) interface.
Attackers leverage UPnP for NAT injections
Hackers have been abusing these misconfigured UPnP services to inject malicious routes inside the router’s NAT (Network Address Translation) tables, a set of rules that controls how IPs and ports from the router’s internal network are mapped to the network above (usually the Internet).
These custom NAT rules allow an attacker to connect to the router’s public IP on a specific port, but get redirected automatically to another IP:port combination.
In other words, this flaw allows attackers to use routers with misconfigured UPnP services as proxy servers for their operations —hence the reason Akamai codenamed this issue UPnProxy.
Hackers can exploit UPnProxy to bypass firewalls and access internal IP addresses…
… or use the router to redirect the request to an entirely new IP address or domain name.
UPnProxy is a serious flaw because it allows an attacker to access the login panel of routers that do not usually expose their backend on the Internet. UPnProxy would redirect a request for [public_IP]:[custom_port] to the router’s backend panel hosted on an internal, restricted IP address.
Such routers, despite having weak credentials, weren’t previously susceptible to brute-force attacks because their admin panel is harder (and sometimes impossible) to reach by an Internet attacker. UPnProxy now lets attackers carry out brute-force attacks against the backend panels of any device on an internal network.
UPnProxy abused by at least one APT
In addition, because UPnProxy can be abused to bounce traffic to any other IP address, the flaw can be used to create an entwined network of proxies that redirect traffic through tens or hundreds of IPs before reaching a final destination.
Such a feature could be abused to mask the location of spam campaigns, phishing pages, advertising click fraud, and for DDoS attacks. Because of this, UPnProxy is ideal for botnet operators, cybercrime-related activity, but also for cyber-espionage as well.
In a separate report, Symantec reported seeing a nation-state-backed actor codenamed “Inception Framework” utilizing the UPnProxy technique to hide their real location behind a cloud of proxies.
Over 4.8 million routers potentially vulnerable
Akamai says it detected over 4.8 million routers that expose various UPnP services via the WAN interface. Of these, Akamai experts say they’ve identified active NAT injections on over 65,000 of these devices, meaning these routers have already been compromised and are actively being used to reroute traffic without the device owner’s consent or knowledge.
Identifying compromised or vulnerable routers is not a trivial operation unless the device owner can find and audit the router’s NAT tables, a task that’s out of the reach of almost 99.99% of all SOHO router owners.
To help users, Akamai has compiled a list of 400 router models from 73 vendors that they identified as exposing UPnP services via the WAN interface, and which they suspect may be vulnerable to UPnProxy attacks.
Mitigating UPnProxy attacks would require a massive effort from all affected vendors. This would imply releasing firmware updates that correct UPnP configs to stop exposing UPnP services via WAN interfaces. In the meantime, the only advice Akamai was able to provide was that users replace existing router models with one not found on their list.
In addition, the company also provided a Bash script that can identify vulnerable or actively exploited routers, albeit this script won’t be useful unless users know how to connect to their router’s terminal via SSH, run and interpret the results of a Bash script.