UPnProxy – A Dubbed NSA Hacking Tool of EternalSilence Vulnerable to Attack 277,000 UPnP Enabled Routers

UPnProxy – A Dubbed NSA Hacking Tool of EternalSilence Vulnerable to Attack 277,000 UPnP Enabled Routers

UPnProxy is alive and well. There are 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Of those, Akamai can confirm that more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign. These injections expose machines living behind the router to the Internet and appear to target the service ports used by SMB.

New research reveals that  Universal Plug and Play (UPnP) implemented 277,000 Connected Devices are vulnerable to malicious proxy system UPnProxy , a dubbed EternalSilence NSA hacking tool arsenal.

UPnProxy is a feature that allows the devices on your network to discover each other and allow to access certain services. Often, this is used for streaming media between devices on a network.

Currently, a pool of 3.5 million connected devices are using UPnP and among these devices, more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign.

Attackers abusing the UPnP system and creating a malicious proxy system called UPnProxy that helps attacker s to reroute the original traffic landing into malicious services such as spam, phishing, click fraud, and DDoS.

It mainly affected the home routers that leads to infect with malware, ransomware and others infections.

Malicious UPnProxy initially discovered by researchers at Akamai and they have dubbed Eternal Silence which is derived from port mapping descriptions and the researchers believed that it leveraging the exploits from NSA Eternal family.








Earlier this year, Akamai researchers reported on how Universal Plug and Play (UPnProxy) was being abused by attackers to conceal traffic, creating a malicious proxy system we’ve called UPnProxy. Because UPnProxy can be leveraged to route an attacker’s traffic at will, there is a serious risk that this flaw can be leveraged in a number of attacks, including spam, phishing, click fraud, and DDoS.

Now, six months later, we’re seeing evidence that UPnProxy alive and well. Out of a potential victim pool of 3.5 million vulnerable devices, 277,000 of them  are vulnerable to UPnProxy. Our scanning revealed at least 45,000 actively injected machines, those with the telltale routes already in their port mappings. These numbers are subject to change as the attackers continue to scan for new machines to compromise. While some of the campaigns observed in the original research have since disappeared, a new campaign of injections has been discovered.

In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.

For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.



Background of UPnProxy




Attack Process

Attack leveraging NSA’s Eternal family of exploits using this EternalSilence campaign which is confirmed by an observation of millions of successful injections attempting in order to expose the millions of SMB running services. In this case, 2 powerful NSA exploits, EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) used by attackers and utilize the static ports (TCP/2048) in order to inject SMB port forwards.

Also, there will not be any administrative visibility of an injected router since its difficult to detect the malicious NAT injections. The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan an end-point and audit it’s NAT table entries, Researchers said.



Attack Process




Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Ethical Hacking Training in Dhanbad

Certified Ethical Hacker Training in Dubai

Ethical Hacking Training in Dubai


Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Data Analysis

Internet Of Things Training Hyderabad

Internet Of Things Training in Bhubaneswar

Internet Of Things Training in Bangalore

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Web Penetration Testing Company in Bangalore

Network Penetration Testing – NPT

Network Penetration Testing Service in Bangalore

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses: