[ Nov 29, 2018 ]
Akamai has detected an ingenious malware campaign that alters configurations on home and small office routers to open connections toward internal networks so crooks can infect previously isolated computers.
The technique relies on exploiting vulnerabilities in the UPnP services installed on some routers to alter the device’s NAT (Network Address Translation) tables.
NAT tables are a set of rules that control how IPs and ports from the router’s internal network are mapped onto a superior network segment –usually the Internet.
In April, hackers were using this technique to convert routers into proxies for regular web traffic, but in a report published today, Akamai says it’s seen a new variation of UPnProxy where some clever hackers are leveraging UPnP services to insert special rules into routers NAT tables.
Furthermore, Akamai also believes hackers deployed EternalRed, a variant of EternalBlue that can infect Linux systems via Samba, the SMB protocol implementation for Linux.
Cyber Security Tips :
- In order to recover from or prevent an attack, device owners can either purchase a new router that doesn’t have the UPnP vulnerabilities that enable this type of abuse or ensure that UPnP is disabled if they’re vulnerable.
- Device owners should also consider rebooting the router itself or possibly flashing the router to the original factory settings and configure it with UPnP completely disabled.
- It’s also advisable to check for firmware updates, as some routers may have published fixes for this issue.