Earlier in 2018, attackers found a series of exploits within 3.5 million routers that enabled them to use these routers as proxy servers.These compromised routers were then used to hide their phishing emails, spam,and DDoS attacks. DDoS attacks have the potential to bring business operations to a halt. There is, however, a ddos mitigation service from ThousandEyes that can help businesses manage being targeted in this way. The exploits target a specific feature within routers called Universal Plug and Play (UPnP). This feature allows the router to automatically and seamlessly connect different devices on a network together. Unfortunately,the cost for this convenience is the lack of security associated with UPnP.
This fall, researchers discovered that attackers found another use for the UPnProxy exploit. By turning their focus inward, attackers realized they could use the UPnProxy exploit to target computers on the router’s internal network. UPnP works by dynamically mapping ports. By targeting known exploits on ports 145 and 449, called EternalBlue and EternalRed respectively, UPnP’s port mapping features can be used to target vulnerable computers on the LAN side of the router. This new attack, named“EternalSilence”, has been found on over 45,000 routers that may have infected as many as 1.7 million end users.
Chances of infection from this attack is directly related to the UPnP status on the router within the last year as well as the update status of your router and computers. If you suspect your router to be infected, you will need to factory reset the router and update it to the latest firmware. Turning UPnP off will not clear the current NAT injections created by the attack. Even if you believe your router to be unaffected by the attack, it may be worth checking to make sure your router has UPnP turned off. If you are worried about the security of your business, ensure you are using a business class router that does not use insecure features like UPnP.
As always, stay safe out there.
Jake Malony, on behalf of the team at PJ-Networks.