Akamai security researchers reported that a multi-purpose proxy botnet has ensnared over 65,000 routers exposed to Internet via the Universal Plug and Play (UPnP) protocol.
The experts found that the vulnerable devices have NAT injections allowing hackers to abuse them for various purposes like spamming and phishing, account takeover and credit card fraud, click fraud, malware distribution, distributed denial of service (DDoS) attacks, bypassing censorship, etc.
According to Akamai, the 65,000 injected devices are part of a larger set of over 4.8 million devices vulnerable to simple UDP SSDP (the UDP portion of UPnP) inquiries.
The security company claims that approximately 765,000 of the devices were also found to expose their vulnerable TCP implementations.
A huge part of the impacted devices are consumer-grade networking hardware that come from 73 brands / manufacturers. About 400 models appeared to be vulnerable, however, the Akamai report reveals that the other manufacturers and devices can also be affected by the vulnerable UPnP implementations.
The main purpose of the UPnP protocol is to allow better communication between devices on a LAN, however, it is also known to be long-vulnerable.
Actually, flawed implementations have been exposed for over a decade, with a 2013 report revealing tens of millions of vulnerable devices on the Internet.
The UPnP protocol allows for automated negotiation and configuration of port opening/forwarding within a NATed networking environment, which means that devices on the network can open ports to expedite routing of traffic in and out of the network. However, some of the exposed services are privileged and can be used only by trusted devices on a LAN.
Among the vulnerable devices are malicious NAT injections which are part of an organized and widespread abuse campaign. The main function of these injections is to turn routers into proxies, which made the experts call the injected devices UPnProxy.
The injected NAT entries were created to be working in sets across various devices. For that reason, across the 65,000 infected devices, the researchers discovered 17,599 unique endpoint IP addresses.
The most-identified IP was injected over 18.8 million times across 23,286 devices, while the second-most-injected IP appeared over 11 million times across 59,943 devices.
The main functions of the injections is to point to multiple services and servers around the Internet and most of them targeted TCP ports 53 (15.9M for DNS), 80 (9.5M for HTTP), and 443 (155K for HTTPS).
According to Akamai, the multi-purpose proxy botnet is most likely related to the Inception Framework threat actor which was first exposed in 2014. The cyber gang was previously observed targeting embassies, Energy and Defense sectors, organizations in the Consultancy/Security, Aerospace, Research, and Media sectors.
Earlier this year, Symantec reported that the Inception Framework has continued to operate over the past years, changing its tools and techniques.
In addition, Symantec said that the cyber gang was abusing Internet of Things devices to hide behind proxies, leveraging the UPnP protocol to hijack vulnerable routers.
