UPnProxy

UPnProxy is an exploit that can be used by attackers to obfuscate attacks and perform illegal actions through a large proxy network of affected devices. UPnP stands for Universal Plug and Play. In short, UPnP was created to ease configuration of network devices. If a router has UPnP enabled a device can negotiate a port for it to get out to the internet without human interaction. There have been an abundance of security issues regarding UPnP, see a startling list of CVEs here.  Unfortunately, some devices are susceptible to accepting UPnP requests from the internet. UPnProxy takes advantage of UPnP across a router’s WAN connection enabling attackers  to use vulnerable devices for a number of purposes.

Akamai published a white paper in April of 2018. The article gives details of the history of the attack, affected devices, and remediation. In short, if your device is affected it is recommended to replace it, disable UPnP, or place a firewall in front of the device if replacement isn’t an option.  Note that disabling UPnP can make some services (such as gaming and streaming) not work properly without additional configuration.

Additional information can be found at a post titled “Hiding Through a Maze of IoT Devices” on @x0rz blog.

Steve Gibson also created a tool called ShieldsUp that can check your router/gateway against UPnP responses over the internet. Check that out here.

tl:dr – Visit Akamai’s white paper (link here) and see if your device is affected (pages 15-17). If your device is on the list, replace it.

 

EDIT: I want to piggyback some information onto this post. UPnProxy is being utilized further recently. UPnProxy: EternalSilence is mapping external ports to internal SMB ports to expose further vulnerabilities inside of a network. Akamai has posted a more recent article with this information.