Published on Wednesday, 05 December 2018 17:21Background
Akamai researchers have recently published their observations on how a router feature known as Universal Plug and Play (UPnP) was being abused by attackers to conceal traffic, creating a proxy system dubbed as "UPnProxy". UPnProxy can be leveraged to distribute spam, malware and launch DDoS attacks.
Attackers are known to make unauthorised changes to (i) the affected router’s Network Address Translation table, (ii) remap its port forwarding settings to proxy malicious traffic and; (iii) leverage its UPnP feature to enable remote connections to the affected router.
Routers with UPnP services enabled or outdated routers are vulnerable to the attack.
Akamai has detected a list of compromised routers in Singapore. SingCERT will notify these consumers through their respective ISPs
When successfully exploited, attackers could hijack the affected router to proxy their malicious activities. If unaddressed, this could lead to more affected cases.
- Reset the router to its original factory settings.
- Disable the UPnP feature on the router.
- Patch the router firmware to the latest available version (if available).
If you need further assistance, please visit the support websites of the respective brands or contact your vendors.
- In addition to the above recommendations, consider raising firewall rules to block off Internet access on TCP port 139 and 445 to the affected router.