Multi-Purpose Proxy Botnet Ensnares 65,000 Routers

More than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol are being abused by cybercriminals as part of a large, multi-purpose proxy botnet, Akamai has discovered.

The vulnerable devices were found to have NAT injections that allow malicious actors to abuse them for various purposes, such as bypassing censorship, spamming and phishing, click fraud, account takeover and credit card fraud, distributed denial of service (DDoS) attacks, malware distribution, and more.

The 65,000 injected devices, Akamai reveals, are part of a larger set of over 4.8 million devices that were found to be vulnerable to simple UDP SSDP (the UDP portion of UPnP) inquiries. Around 765,000 of the devices were also found to expose their vulnerable TCP implementations, the security firm says.

Most of the impacted devices are consumer-grade networking hardware coming from 73 brands / manufacturers. Nearly 400 models were found vulnerable, but other manufacturers and devices are also believed to be affected by these vulnerable UPnP implementations, Akamai reveals in a report (PDF).

Designed to allow better communication between devices on a LAN, the UPnP protocol is widely used, but is also long-known to be vulnerable. In fact, flawed implementations have been exposed for over a decade, with a 2013 report revealing tens of millions of vulnerable devices on the Internet.

The protocol allows for automated negotiation and configuration of port opening/forwarding within a NATed networking environment, meaning that devices on the network can open ports to expedite routing of traffic in and out of the network. Some of the exposed services, however, are privileged and meant to only be used by trusted devices on a LAN.

Some of the vulnerable devices include malicious NAT injections that appear to be part of an organized and widespread abuse campaign. The purpose of these injections is to turn routers into proxies, which led researchers to call injected devices UPnProxy.

The injected NAT entries were designed to be working in sets across various devices. Thus, across the 65,000 infected devices, 17,599 unique endpoint IP addresses were discovered. The most-identified IP was injected over 18.8 million times across 23,286 devices, while the second-most-injected IP appeared over 11 million times across 59,943 devices.

The injections were designed to point to multiple services and servers around the Internet and most of them targeted TCP ports 53 (15.9M for DNS), 80 (9.5M for HTTP), and 443 (155K for HTTPS).

The multi-purpose proxy botnet, Akamai says, appears related to the Inception Framework threat actor that was first exposed in 2014. The group was previously observed targeting Energy and Defense sectors, along with organizations in the Consultancy/Security, Aerospace, Research, and Media sectors, in addition to embassies.

In a report earlier this year, Symantec revealed that the actor has continued to operate over the past years, despite an apparent silence. The group has changed its tools and techniques, uses modular malware in attacks, and has widened its use of cloud service providers for command and control purposes.

Symantec also said that the group was abusing Internet of Things devices to hide behind proxies, leveraging the UPnP protocol to hijack vulnerable routers.

Akamai used Symantec’s findings as a starting point for their research and discovered two clusters of highly chained proxies within the injected devices. One of them is more evenly distributed, supposedly using smaller nodes as final hop before exiting the chain to their final destinations. The other, however, routes to a much larger collection of outward medium and small nodes, making tracking more difficult.

“The UPnProxy vulnerability, like many of the problems we’ve seen recently, was caused by unauthenticated services being exposed to the public Internet in ways they were never meant to be. Attackers have taken several aspects of known issues with UPnP and combined them to create a powerful proxy network to hide their traffic. While this is neither a remote exploit that allows the attacker to take over a computer nor a new reflection vector for DDoS, it is still a significant concern because of how it allows the origin of traffic to be hidden,” Akamai notes.

Related: New Botnet Is Recruiting IoT Devices

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: