Over 65,000 Home Routers Are Proxying Bad Traffic for Botnets, APTs (abusing the Universal Plug and Play (UPnP) protocol)

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/over-65-000-home-routers-are-proxying-bad-traffic-for-botnets-apts/

Botnet operators and cyber-espionage groups (APTs) are abusing the Universal Plug and Play (UPnP) protocol that comes with all modern routers to proxy bad traffic and hide their real location from investigators. In a report published on Monday, Akamai revealed that it detected bad actors abusing at least 65,000 routers to create proxy networks for various types of secret or illegal activities.

Bad actors are abusing UPnP
According to Akamai, attackers are abusing the UPnP protocol, a feature that makes it easier to interconnect local WiFi-enabled devices and forward ports and services to the Internet.

UPnP is a crucial service for most of today’s routers, but the protocol has been proven to be insecure more than a decade ago, and malware authors have abused various UPnP flaws ever since.
Akamai says it detected a new way through which bad actors have been recently abusing UPnP. Experts say that bad actors have discovered that some routers expose UPnP services meant for inter-device discovery via their WAN (external Internet) interface.

Over 4.8 million routers potentially vulnerable

Akamai says it detected over 4.8 million routers that expose various UPnP services via the WAN interface. Of these, Akamai experts say they've identified active NAT injections on over 65,000 of these devices, meaning these routers have already been compromised and are actively being used to reroute traffic without the device owner's consent or knowledge.

Identifying compromised or vulnerable routers is not a trivial operation unless the device owner can find and audit the router's NAT tables, a task that's out of the reach of almost 99.99% of all SOHO router owners.