A report published by Akamai detected those threat actors were abusing at least 65,000 routers to create proxy networks for various illegal activities. According to the company’s report, the attackers are using UPnP to create proxy networks for various illegal activities.
Despite UPnP being crucial for every modern router, the protocol has proven to be insecure with most malware authors having used UPnP flaws. The Hackers are using misconfigured UPnP services to inject malicious routes inside the network address translation tables, NAT is a set of rules that control how IP’s and ports from the router’s internal networks are mapped to the external networks.
Custom NAT if not configured properly provides easy access to the network using the router’s public IP on a specific port, this flaw allows attackers to use routers with misconfigured UPnP services as proxy servers for their operations. It was named UPnProxy by the Akamai
The UPnProxy attack can access the login panel of the user’s router which enables the hackers to interconnect the local-WiFi enabled devices and forward ports and services to the Internet. In laymans terms, the hackers are using these affected routers as proxy servers.
In a separate report, Symantec described seeing a nation-state-backed actor codenamed “Inception Framework” utilizing the UPnProxy system to hide their real location behind a cloud of proxies. Akamai said more than 4.8 Million routers are exposed to various UPnP bugs like WAN glitches interface. Identifying endangered or vulnerable routers is not a trivial process unless the device owner can find and audit the router’s NAT tables, a task that’s out of the reach of almost 99.99% of all SOHO router owners.
Take your time to comment on this article.
Source: Bleepingcomputer