Akamai has detected an ingenious malware campaign that alters configurations on home and small office routers to open connections toward internal networks so crooks can infect previously isolated computers.

The way hackers achieve this, Akamai said, is via a technique known as UPnProxy, which the company first detailed in April this year.

The technique relies on exploiting vulnerabilities in the UPnP services installed on some routers to alter the device's NAT (Network Address Translation) tables.

NAT tables are a set of rules that control how IPs and ports from the router's internal network are mapped onto a superior network segment --usually the Internet.

In April, hackers were using this technique to convert routers into proxies for regular web traffic, but in a report published today, Akamai says it's seen a new variation of UPnProxy where some clever hackers are leveraging UPnP services to insert special rules into routers NAT tables.

These rules still work as a (proxy) redirections, but instead of relaying web traffic at the hacker's behest, they allow an external hacker to connect to the SMB ports (139, 445) of devices and computers located behind the router, on the internal network.

OVER 45,000 ROUTERS ALREADY INFECTED

Akamai experts say that from the 277,000 routers with vulnerable UPnP services exposed online, 45,113 have already been modified in this recent campaign.

Researchers say that one particular hacker, or hacker group, has spent weeks creating a custom NAT entry named 'galleta silenciosa' ('silent cookie/cracker' in Spanish) on these 45,000 routers.

Read more: Hackers are opening SMB ports on routers so they can infect PCs with NSA malware | ZDNet

See also: UPnProxy: EternalSilence - Akamai Security Intelligence and Threat Research Blog

Posted By: Brink
28 Nov 2018