Botnets and advanced persistent threats can exploit misconfigured Universal Plug and Play services in home routers to proxy bad traffic and hide their
Botnets and advanced persistent threats can exploit misconfigured Universal Plug and Play services in home routers to proxy bad traffic and hide their locations.
According to a report from Akamai this week, nearly 400 models of home routers, across 73 brands, are susceptible to the UPnP vulnerability. The report found that attackers are misusing the UPnP protocol for Network Address Translation (NAT) injections. While UPnP has had security issues in the past, this one has new aspects.
“The UPnProxy vulnerability, like many of the problems we’ve seen recently, was caused by unauthenticated services being exposed to the public internet in ways they were never meant to be,” the report states. “Attackers have taken several aspects of known issues with UPnP and combined them to create a powerful proxy network to hide their traffic. While this is neither a remote exploit that allows the attacker to take over a computer nor a new reflection vector for DDoS, it is still a significant concern because of how it allows the origin of traffic to be hidden.”
The original UPnP vulnerability was discovered in 2006, according to Akamai, by Armijn Hemel who found that UPnP wasn’t “properly handling network segmentation across the WAN and LAN interfaces.” In 2011, another researcher, Daniel Garcia, released a tool set that enabled a remote user to perform NAT injection into a remote device over the WAN. In 2013, Rapid7 found that there were 80 million devices from over 1,500 vendors that were still susceptible to the UPnP vulnerability.
Akamai’s research found that some devices that support UPnP and are currently in use are being actively abused in the wild.
“The simple explanation of the vulnerability that lead[s] to NAT injections, is that these devices expose services on their WAN interface that are privileged and meant to only be used by trusted devices on a LAN,” the report explained. “Using these exposed services, an attacker is able to inject NAT entries into the remote device, and in some cases, expose machines behind the router while in other cases inject internet-routable hosts into the NAT table, which causes the router to act as a proxy server.”
According to Akamai’s findings, this UPnP vulnerability has been used to create a proxy botnet that attackers use to bypass anticensorship, antispam and antiphishing efforts, carry out click fraud, take over accounts and perform credit card fraud, launch DDoS attacks, distribute malware and hide attackers’ locations for C2 communications.
“End users will not be able to detect a vulnerability like this on their own, and it’s possible an investigation could wrongly assign blame to an innocent party because traffic is exiting through their router,” Akamai said. “Manufacturers need to stop enabling protocols like UPnP on external interfaces; after more than a decade since this issue was discovered, it continues to plague consumer devices. Carriers and ISPs also need to examine whether they should be allowing protocols that are meant for trusted LAN usage to be traversing their networks.”
Akamai noted that the best way to know if a device is susceptible to this UPnP vulnerability is to scan the endpoint and audit the NAT table entries.
If a router is affected, the options to fix it are limited to replacing it with a different, unaffected device or disabling UPnP services, which can negatively impact other areas of the network.
However, according to Akamai, “there is no reason for these problems to exist where basic security models are being followed.”
In other news
- AMD and Microsoft released patches this week for the Spectre vulnerability. One variant of Spectre already received software patches from AMD, but the second variant required both microcode and operating system updates. Both AMD and Microsoft released those updates on Monday. “While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk,” AMD’s senior vice president and CTO Mark Papermaster wrote in a security update. Microsoft released the operating system patches for Windows 10 and AMD released the microcode patches for AMD processors going back to “Bulldozer” core products. AMD had initially downplayed the severity of the Spectre vulnerability, and patches for both Meltdown and Spectre have had varying levels of success.
- The Mozilla Foundation released its 2018 Internet Health Report this week and looked at some of the biggest issues with the internet from a human perspective, with focus on how people experience privacy, openness, inclusion, web literacy and decentralization of control on the internet today. This included looking at the scale of technology companies like Google, Facebook and Amazon and what this consolidation of power means for the market. It also looked at the flawed online advertising system and how it led us to the era of “fake news.” Finally, it looked at the security of IoT devices and how they have generated struggles in software, hardware and governance. According to the Mozilla Foundation’s executive director, Mark Surman, Facebook and the debacle with Cambridge Analytica played a huge role in the direction of the report, because it raised a lot of questions. “What do we do about the data of up to 87 million people floating around, unrecoverable? Can artificial intelligence help address suspicious behaviour around elections? What are Facebook’s responsibilities to users and the public?” Surman wrote in a blog post. “Unsurprisingly, it was also quite scattered. We do not yet have a collective mental map of how issues like these connect.”
- Proof-of-concept code has been published for a critical vulnerability in the Drupal content management system that was discovered last month and it is now being exploited. The code was published on GitHub by a Russian security researcher and enables attackers to exploit the vulnerability, dubbed Drupalgeddon 2.0. Security company Sucuri first spotted exploitation of the Drupal vulnerability on April 12, 2018 — only a few hours after Check Point Research published a blog post about the proof-of-concept code on GitHub. The vulnerability enables attackers to take control of websites that use the Drupal content management system — which means that more than one million websites running Drupal could be exploited. The Drupal security team released a patch for the vulnerability on March 28, and at the time there were no known exploits in the wild. Security researchers are not yet aware of any sites that have been completely taken over, so it’s recommended that Drupal users apply the patches immediately.