The hack, known as UPnProxy exploits weaknesses in the design of the UPnP services installed on many routers, allowing hackers to alter the router’s Network Address Translation tables.
These tables are essentially a set of codified rules that control how ports and IPs from the router’s internal network are mapped out onto a larger network segment, most commonly, the internet itself.
When the exploit was first discovered back in April, it was being used to slave routers, converting them into proxies for regular web traffic. However, according to Akamai, there’s a new variant of the UPNProxy attack that allows hackers to insert their own rules into the NAT tables of routers.
In addition to slaving the router as described above, the new rules allow a hacker outside your network to connect to the SMB ports of computers and other devices located behind the router, inside your company’s network.
According to Asamai’s estimates, there are some 277,000 routers that have UPnP services exposed online that are vulnerable to the exploit. More than 45,000 of these have already been modified in the most recent campaign discovered by the company.
A spokesman for Akamai had this to say about their recent discovery:
“Recent scans suggest that these attackers are being opportunistic. The goal here isn’t a targeted attack. It’s an attempt at leveraging tried and true off the shelf exploits, casting a wide net into a relatively small pond, in the hopes of scooping up a pool of previously inaccessible devices.”
Fortunately, as part of the White Paper Akamai published about the attack, they also included instructions for how to remove malicious NAT table entries from impacted routers. It’s well worth the read.