Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what UPnProxy refers to", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what does UPnProxy mean" this article.

Preface

At present, more than 3.5 million devices around the world have deployed UPnP, of which about 280000 devices have security problems. Akamai researchers say nearly 50, 000 devices have been compromised by UpNp NAT injection attacks (targeting the service ports used by SMB) that expose devices connected to the target router to Internet security risks.

Background

In 2018, Akamai researchers found that attackers began to misuse Universal plug and play (UPnP) to hide malicious traffic and create malicious proxy systems, a technique we named UPnProxy. With the help of UPnProxy, attackers can control malicious traffic at will, which is definitely a serious security risk, because such security vulnerabilities can be applied to a variety of attack techniques, including spam, phishing, click fraud, DDoS and so on.

According to the current data, UPnProxy is still active, the number of potentially infected devices worldwide has reached 3.5 million, and the number of identified vulnerable devices is about 280000. Although some of the previously detected attacks have disappeared, we have found other new attacks, so the number of infected devices has been changing.

In previous reports released by Akamai, we highlighted the possibility of attackers using UPnProxy to invade the connected devices of the target router. Unfortunately, it really happened.

For home users, this attack can lead to a series of problems, such as network quality degradation, malware infection, extortion software attacks and network fraud. But for business users, this security threat can expose systems that should not have been exposed on the Internet, and occur unconsciously by administrators, thus greatly increasing the attack surface of enterprise systems. What is more worrying is that this attack is mainly aimed at the Windows platform and the Linux platform, which are currently the most attacked system platforms by Trojan worms and extortion software.

Eternal Silence

On November 7th, researchers discovered a new type of attack belonging to the UPnProxy family, which we named Eternal Silence, or "Eternal Silence," a name derived from the port mapping description left by the attacker.

On a router, the NewPortMappingDescription field on the router is generally a value like "Skype", indicating that legal injection is allowed. In UPnProxy activities, this domain can be controlled by an attacker. In the latest attack routers detected by Akamai, the values for this domain are all "galleta silenciosa" or "silent cookie/cracker" in Spanish. This injection attack exposes the TCP ports 139 and 445 of the device to which the target router is connected:

{"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "192.168.10.212", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"}

Taking all the analysis results into account, Akamai researchers believe that attackers are likely to exploit EternalBlue and EternalRed vulnerabilities to invade other devices. Unfortunately, Akamai researchers do not know what will happen after a successful injection attack, because currently we can only observe the process of the injection attack and cannot detect the Payload that finally completed the direct attack. The researchers believe that there are many things cyber criminals can do after a successful attack, such as carrying out a blackmail software attack, or implanting a backdoor into the target network system and achieving persistent infection.

Attack analysis

EternalBlue (CVE-2017-0144): eternal Blue, this is already a famous loophole that Snowden "stole" from NSA. This vulnerability can affect every Windows version, and even if you install a patch (MS17-010), some cyber criminals are still using this vulnerability to launch cyber attacks, such as WannaCry and NotPetya.

EternalRed (CVE-2017-7494): brother of Eternal Red and Eternal Blue, it aims at Samba and opens the door for the Eternal family to "enter" the Linux system. It has been used in a variety of malicious mining activities, and gradually developed into SambaCry.

We found that this attack is not a targeted attack, but a large-scale attack carried out by using ready-made and real development results that have been tested by reality. And fill the "target device pool" of cyber criminals in the form of "wide net". This approach is also normal, because many enterprise devices that are not connected to the external network are likely not to have patches for Eternal Blue or Eternal Red, but with SMB port forwarding technology, attackers will be able to hack into other access devices behind the router, and none of those devices without patches will be spared.

Here are the Eternal Silence injection samples we found in one of the infected routers:

{"NewProtocol": "TCP", "NewInternalPort": "445,445", "NewInternalClient": "192.168.10.165", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47622"}, {"NewProtocol": "TCP", "NewInternalPort": "139th", "NewInternalClient": "192.168.10.166", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "28823"}, {"NewProtocol": "TCP", "NewInternalPort": "445" "NewInternalClient": "192.168.10.166", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47623"}, {"NewProtocol": "TCP", "NewInternalPort": "139,139", "NewInternalClient": "192.168.10.183", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "28840"}, {"NewProtocol": "TCP", "NewInternalPort": "192.168.10.194", "NewInternalClient": "192.168.10.194", "NewPortMappingDescription": "galleta silenciosa" "NewExternalPort": "28851"}, {"NewProtocol": "TCP", "NewInternalPort": "28864", "NewInternalClient": "192.168.10.198", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "28855"}, {"NewProtocol": "TCP", "NewInternalPort": "28855", "NewInternalClient": "192.168.10.207", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "28864"}, {"NewProtocol": "TCP" "NewInternalPort": "139,139", "NewInternalClient": "192.168.10.209", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "28866"}, {"NewProtocol": "TCP", "NewInternalPort": "139th", "NewInternalClient": "192.168.10.212", "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "28869"}, {"NewProtocol": "TCP", "NewInternalPort": "445", "NewInternalClient": "192.168.10.212" "NewPortMappingDescription": "galleta silenciosa", "NewExternalPort": "47669"} lack visibility

In general, it is difficult for an administrator to detect malicious NAT injection on a router. The UPnP protocol itself is used to let the device automatically request the NAT/ port forwarding function through the IGD of the router. In this case, auditing these rules requires the use of the UPnP toolset, device scanning, and manual rule auditing.

The following Bash script exports UPnP NAT entities:

#! / usr/bin/bashurl=$1 soap_head=' 'soap_tail='' for iin `seq 1 10000`; do payload=$soap_head$i$soap_tail curl-H' Content-Type: "text/xml;charset=UTF-8"-H 'SOAPACTION: "urn:schemas-upnp-org:service:WANIPConnection:1#GetGenericPortMappingEntry"-- data "$payload"$url" echo "" done

Here is the data we exported from a host that was attacked by UPnProxy injection:

$. / brute_upnproxy.sh http://192.168.1.1:2048/etc/linuxigd/gatedesc.xml50694TCP538.8.8.81node:nat:upnp0 30932 TCP538.8.8.81 nodeVONAVRAPUP 0.. snip. The above is all the contents of this article "what does UPnProxy mean?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.