Earlier this year, Akamai warned that vulnerabilities in Universal Plug'N'Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed.

Having revisited its April probing, the web cache biz has come to the conclusion that the security nightmare it dubbed “UPnProxy” is still “alive and well.”

The only way to truly secure a router from UPnProxy attacks is to reflash the hardware, clearing any attacker-injected configuration and installing patched firmware, where available. Oh, and turn UPnP off, which has been standard advice for a decade.

The problem is basically this: it's possible to send carefully crafted HTTP requests to public-facing UPnP services running on various routers to access their internal networks, or relay traffic through the gateways to other machines on the internet. With access to a home LAN, it's possible to attack and infect connected PCs and gizmos. These UPnP vulns, described here [PDF], have not been comprehensively patched.

Scanning the internet once again, Akamai found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been hijacked. The latest twist is that whoever commandeered these gateways has tried to port forward Windows file sharing aka SMB services from the internal PCs to the outside world so they can be exploited and remote-controlled by the leaked Eternal family of NSA cyber-weapons.

Patches are available for Windows to thwart attacks by EternalBlue et al: your 'doze machines should not fall for these SMB-based infections if you've been keeping up to date, though your router may been snared if you haven't disabled UPnP or patched it.

Details

Akamai's security team explained in this blog post that a sign of infection is the appearance of “telltale routes” in the gateways' port mappings. The essay also outlined how the hackers hijacked some 45,000 routers:

Network scanning – the attackers either mass-scanned the internet looking for machines presenting the Simple Service Discovery Protocol (SSDP) to the world that would reveal the UPnP service, and/or they targeted devices that use a static port (TCP/2048) and path ( /etc/linuxigd/gatedesc.xml ) for the UPnP daemons.

) for the UPnP daemons. When a vulnerable device is found, the attackers set up SMB port forwarding from the LAN to the public internet, using the router's built-in configuration web portal, so that the miscreants can reach stuff on the LAN from outside.

Here is one example of the kind of Network Address Translation (NAT) forwarding rule the attackers could inject into a vulnerable router:

{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "192.168.10.212", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"}

Once the miscreants have compromised a target, they then try to run the NSA-authored, Shadow Brokers-released EternalBlue (CVE-2017-0144), or the Linux variant EternalRed (CVE-2017-7494) against PCs behind the gateway to potentially hijack them.

EternalBlue has been used to infect machines since its release in April 2017, most famously in the WannaCry attacks that began in May 2017; EternalRed pwns *nix systems with a one-line Samba exploit.

Finally, the 45,000-ish hijacked routers have exposed a total of 1.7 million hosts on local networks to the public 'net via UPnProxy. So that's up to nearly two million computers the attackers may have compromised and roped into malware-controlled botnets, Akamai claimed. ®