[SingCERT] Alert on EternalSilence, a New Variant of EternalBlue and EternalRed Abusing UPnP Services on Routers

Published on Wednesday, 05 December 2018 17:21

Background

Akamai researchers have recently published their observations on how a router feature known as Universal Plug and Play (UPnP) was being abused by attackers to conceal traffic, creating a proxy system dubbed as "UPnProxy". UPnProxy can be leveraged to distribute spam, malware and launch DDoS attacks.

Attackers are known to make unauthorised changes to (i) the affected router’s Network Address Translation table, (ii) remap its port forwarding settings to proxy malicious traffic and; (iii) leverage its UPnP feature to enable remote connections to the affected router.

Affected Products

Routers with UPnP services enabled or outdated routers are vulnerable to the attack.

Akamai has detected a list of compromised routers in Singapore. SingCERT will notify these consumers through their respective ISPs.

Impact

When successfully exploited, attackers could hijack the affected router to proxy their malicious activities. If unaddressed, this could lead to more affected cases.

Recommendations

For End-Users:

  • Reset the router to its original factory settings.
  • Disable the UPnP feature on the router.
  • Patch the router firmware to the latest available version (if available).
If you need further assistance, please visit the support websites of the respective brands or contact your vendors.

For Administrators:

  • In addition to the above recommendations, consider raising firewall rules to block off Internet access on TCP port 139 and 445 to the affected router.
References

https://blogs.akamai.com/sitr/2018/11/upnproxy-eternalsilence.html

https://www.csa.gov.sg/singcert/news/advisories-alerts/wanacrypt0r-aka-wannacry--what-you-need-to-know-and-the-actions-to-take