A multi-purpose botnet name UPnProxy leverages more than 270,000 Internet-connected devices; the botnet was discovered in April this year when it had infected around 65,000 devices.
The UPnP protocol was initially designed for better communication between devices on a LAN; but those good intentions have a downside too, which makes UPnP protocol vulnerable to all sorts of cyber attacks.
Cybersecurity specialists are estimating that at this moment there are more than 3.5 million vulnerable devices around the world, and 277,000 of them are already hijacked by the UPnProxy botnet.
The problem is the botnet doesn’t stop here, recent stats are showing that UPnProxy continues to scan for more machines to compromise.
Researchers which have analyzed the botnet say, those home users that are affected by this threat can face a number of complications, such as degraded service, malware infections, ransomware, and even fraud. On the other hand, business users are looking at a more concerning and dangerous threat, recent developments of the botnet show that now in the cyberspace are present many malicious systems that were never supposed to exist. Those cyber entities can now be used in many new and unseen cyberattacks.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
For now, it is unknown how the new variants of Bladabindi spread to the core, infecting systems.
For example, any services that are exposed so far have a history of exploitation in other campaigns targeting both Windows and Linux platforms: the TCP ports 139 and 445.
A famous campaign like this is known as EternalSilence, it has impacted millions of devices living behind the vulnerable routers by exploiting them with the EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits.
An even big problem is represented by the fact that researchers couldn’t discover the final payloads, so they cannot say what happens with a device after is successfully compromised. The possible scenarios are very dark from ransomware attacks or backdoors to all kind of malware types.
For the moment the botnet is scanning the entire Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.
After the scan is done it probably blindly inject SMB port with EternalBlue and EternalRed exploits to create an even more army of zombified devices to launch a devastating never been seen cyberattack.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor the cybersecurity world. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.