Security researchers warn that an IoT botnet has been scanning the internet and exploiting nearly 100,000 routers exposed with a five year old UPnP vulnerability.
According to security blogger Graham Cluley, Qihoo 360’s Netlab security team spotted back in September 2018 a new botnet “BCMUPnP_Hunter” that attempts to exploit a security vulnerability in the Broadcom UPnP SDK first discovered in 2013.
UPnP (aka Universal Plug and Play) is a home networking protocol used for automatic discovery of other Plug-and-Play devices on the network (such as PCs, printers, Internet gateways, Wi-Fi access points and mobile devices), as well as to better enable data sharing, communication and entertainment on home networks.
An excerpt of the threat as described by Qihoo:
“The interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL. After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is so a right exploit payload can be crafted and fed to the target.”
To address the threat, users should make sure their router has been updated with latest firmware and patches or disable UPnP altogether.