Hackers are exploiting insecure UPnP implementations in routers to expose millions of computers from inside private networks to SMB attacks.
Universal Plug and Play (UPnP) is a service that allows devices to discover each other inside local networks and automatically open ports for data sharing, media streaming and other services. Normally, UPnP should only be exposed to the LAN interface, but insecure implementations have been found in numerous devices over the years, especially in home routers.
Recent Articles By Author
U.S. Charges Two Iranians for SamSam Ransomware Attacks Cisco Takes Another Stab at Patching Recent WebEx Vulnerability ECC Memory Not Safe from Rowhammer Attack
Earlier this year, researchers from Akamai found that attackers were scanning the internet for routers that exposed their UPnP service without authentication and were abusing them to set up port forwarding rules that allowed them to use the devices as proxies for malicious traffic. The researchersdubbed that attack UPnProxy.
Now, six months later, there are still 3.5 million devices that expose their UPnP endpoint to the internet and 277,000 of them are vulnerable to UPnProxy. Even worse, attackers have switched from simply using this technique to proxy malicious traffic to exposing computers behind the affected routers.
Akamai found malicious UPnP injections on more than 45,000 routers that opened random external ports in the devices and mapped them to ports 445 and 139 TCP on internal IP addresses. Ports 445 and 139 are used by SMB, a network file-sharing protocol enabled by default on windows and linux computers.
This means that attackers now have the capability to access internal computers over SMB directly from the internet. And SMB has known vulnerabilities, such as EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) which have been widely exploited in the wild by ransomware worms including WannaCry and NotPetya.
In fact, attackers have put “galleta silenciosa”―Spanish for “silent cookie/cracker”―in the description field of the injected port mapping rules. Because of this, the Akamai researchers have named the new attack EternalSilence.
“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits,” the company said in its report .
These appear to be opportunistic attacks where hackers have taken a shotgun approach and are blindly injecting SMB port forwarding rules wherever they can. This doesn’t make the attacks less serious, as corporate networks might still contain a significant number of computers and devices that haven’t yet been patched against SMB flaws and are only protected because they can’t be reached from the internet.
“The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits,” the Akamai researchers said.
Detecting the injections is not easy because they don’t typically show up in administrative interfaces. To see them, administrators have to use special tools that interact with UPnP and can dump the entries from the NAT table.
Worse, the injection technique can be used in the future for additional services, every time a serious vulnerability appears in a protocol that’s not typically exposed to the internet but can be attacked over the local network.
Router owners should make sure their devices are running the latest available firmware version and they should disable UPnP if it’s not needed. For devices that might have already been compromised, a reset to factory default settings is recommended to clean the NAT injections after disabling UPnP.NUUO Patches Vulnerability That Exposes Surveillance Cameras
Security researchers have identified a serious vulnerability in a network video recorder (NVR) product from NUUO that can be used to compromise the recordings and feeds from surveillance cameras.
The vulnerability is a buffer overflow affecting NUUO’s NVRMini2 and was found by researchers from security firm Digital Defense. NVRMini2 is an NVR-NAS combo device that’s capable of recording and controlling video feeds from multiple surveillance cameras.
The vulnerability allows remote unauthenticated attackers to execute arbitrary code on affected systems with root privileges. It can be exploited by sending a specially crafted GET request to the affected service with a URI length of 351 characters or greater.
Users should update theirNVRMini2 systems to the latest firmware version released by the manufacturer. The vulnerability affects firmware versions 3.9.1 and older.
It’s estimated that NUUO’s devices are used in more than 100,000 video surveillance deployments worldwide, in industries such as retail, transportation, education, government and banking. Since each NVR device can be used to control up to 16 cameras, the number of indirectly affected cameras is most likely in the hundreds of thousands.