[ad_1]
Earlier this year, Akamai had warned that Universal Plug's nicks (UPnP) had been exploited by fools to hijack 65,000 home routers. Later research published this week revealed that little has changed.
After revisiting his April survey, the web cache company came to the conclusion that the security nightmare he nicknamed "UPnProxy" was still "alive and well".
The only way to truly secure a router from UPnProxy attacks is to reboot the hardware, clear any configuration that an attacker injects, and install the corrected firmware, if necessary. Oh, and disable UPnP, which is standard advice for a decade.
The problem is essentially that it is possible to send carefully crafted HTTP requests to UPnP services intended for the public and run on different routers to access their internal networks, or to relay traffic via gateways to other machines. on the Internet. With access to a local home network, it is possible to attack and infect connected PCs and gizmos. These UPnP techniques, described here [PDF], have not been completely corrected.
After a new Internet scan, Akamai found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy and 45,000 had been hacked. The last novelty is that those who ordered these gateways tried to transfer the Windows file sharing to external services, so that they could be remotely operated and controlled by the eternal family of cyber-weapons NSA .
Fixes are available for Windows to counter the attacks of EternalBlue et al: your sleepwalking machines should not fall for these SMB-based infections if you kept informed, but your router could be blocked if you have not disabled UPnP or patched it.
Details
The security team of Akamai explained in this blog post that a sign of infection is the appearance of "revealing roads" in gateway port mappings. The test also explains how hackers have hijacked about 45,000 routers:
- Network Analysis: Hackers mass-scan the Internet and look for machines presenting the Simple Service Discovery Protocol (SSDP) revealing the UPnP service, and / or targeting devices using a static port (TCP / 2048). way (
/etc/linuxigd/gatedesc.xml
) for UPnP daemons. - When a vulnerable device is detected, the attackers configure the SMB port forwarding from the local network to the public internet, using the Router's built-in configuration web portal, so that villains can gain access. to the rest of the local network.
Here is an example of the type of Network Address Translation (NAT) forwarding rule that attackers could inject into a vulnerable router:
{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "192.168.10.212", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"}
Once the scoundrels have compromised a target, they then attempt to execute CVE-2017-0144's EternalBlue (CVE-2017-0144), released by Shadow Brokers (CVE-2017-0144), or the Linux EternalRed variant (CVE-2017-7494) behind the gateway to the potential. to divert them.
EternalBlue has been used to infect machines since its release in April 2017, especially during the WannaCry attacks that began in May 2017; EternalRed pwns * nix with a one-line Samba exploit.
Finally, the hijacked routers of 45,000 computers exposed a total of 1.7 million hosts on local networks to the public network via UPnProxy. According to Akamai, this represents nearly two million computers that the attackers may have compromised and networked. ®
Sponsored:
Put the Sec in DevSecOps
Source link