Over 65,000 Home Routers Are Proxying Bad Traffic for Botnets, APTs

UPnProxy攻击：400款家用路由机型受影响，逾6万台设备已遭僵尸网络滥用

开始阅读之前，先了解几个名词的正确英文表达，也是本文的高频词汇

路由器：router

流量：traffic

僵尸网络：botnet

代理：proxy

域名：domain name

关键词： UPnP

UPnP，全称 the Universal Plug and Play，译为 通用即插即用 。

含义：是由“通用即插即用论坛”（UPnP™ Forum）推广的一套网络协议。该协议的目标是使家庭网络（数据共享、通信和娱乐）和公司网络中的各种设备能够相互无缝连接，并简化相关网络的实现。UPnP通过定义和发布基于开放、因特网通讯网协议标准的UPnP设备控制协议来实现这一目标。（wikipedia）

更详细的解释：参考此文

Botnet operators and cyber-espionage groups (APTs) are abusing the Universal Plug and Play (UPnP) protocol that comes with all modern routers to proxy bad traffic and hide their real location from investigators.

僵尸网络操纵者和网络间谍组织 (APT) 被指正在滥用所有现代路由器中使用的通用即插即用 (UPnP) 协议来代理恶意流量并规避调查人员查看真实地理位置信息。

abuse  [ə'bjus] v. 虐待；辱骂；滥用

这里取“滥用”的意思：

If you abuse something, you use it in a wrong way or for a bad purpose.

eg：

to abuse a privilege

滥用特权

to abuse one's authority

滥用权力

这个词很常见，一定要会用哦~

In a report published on Monday, Akamai revealed that it detected bad actors abusing at least 65,000 routers to create proxy networks for various types of secret or illegal activities.

本周一，Akamai 发布报告称已检测到恶意人员滥用至少6.5万台路由器创建代理网络实施多种机密或非法活动。

Bad actors are abusing UPnP

恶意人员正在滥用 UPnP 协议

According to Akamai, attackers are abusing the UPnP protocol, a feature that makes it easier to interconnect local WiFi-enabled devices and forward ports and services to the Internet.

Akamai 在报告中指出，攻击者正在滥用 UPnP 协议。该协议旨在让本地启用无线设备之间的互连更加容易，以及更加轻松地将端口和服务转到互联网上。

interconnect   v.  相互关联，联系。

[,ɪntɚkə'nɛkt]

这个单词的意思比较好理解，connect是连接，那么interconnect是相互之间的联系。

例如：

• a series of interconnected lakes 一连串相互连接的湖泊

• interconnecting rooms 相连的房间

• Our operating system can now interconnect with other networks. 我们的操作系统现在能和其他网络相连。

• In Freud’s theory, the two areas of sexuality and violence are interconnected. 按照弗洛伊德的理论，性和暴力这两个方面是相互关联的。

• a number of separate but interconnected issues 一些独立但相互关联的问题

UPnP is a crucial service for most of today’s routers, but the protocol has been proven to be insecure more than a decade ago, and malware authors have abused various UPnP flaws ever since.

虽然 UPnP 对于目前的多数路由器而言是一种关键服务，但在十多年前它已被证实并不安全，而且自此以后恶意作者们已经滥用了多种 UPnP 缺陷。

decade   n. 十年

['dɛked]

decades 就是数十年，那么二十年呢？

二十年就是 twenty years 啦~ 也可用 score years 来表达

Akamai says it detected a new way through which bad actors have been recently abusing UPnP. Experts say that bad actors have discovered that some routers expose UPnP services meant for inter-device discovery via their WAN (external Internet) interface.

Akamai 表示已经检测到恶意人员滥用 UPnP 的一种新方法。安全专家们指出，恶意人员发现某些路由器通过 WAN（外部互联网）接口暴露了旨在为跨设备发现的 UPnP 服务。

Attackers leverage UPnP for NAT injections

攻击者利用 UPnP 注入 NAT

leverage v. 利用

['lɛvərɪdʒ]

eg：

Reusable software is leveraged across many applications. 可重复使用的软件得到广泛应用。

这个单词与“level”很相似哦~注意，含义还是有很大不同的~

Hackers have been abusing these misconfigured UPnP services to inject malicious routes inside the router's NAT (Network Address Translation) tables, a set of rules that controls how IPs and ports from the router's internal network are mapped to the network above (usually the Internet).

黑客一直都在用这些配置错误的 UPnP 服务将恶意路由注入到路由器的 NAT （网络地址转换）表中。NAT 表即控制内部网络的 IP 和端口如何映射到上面的网络（通常是互联网）的一系列规则。

这个句子很长，嵌套的东西很多，不过也很常见~把句子拆分一下看看：

1、Hackers have been abusing these misconfigured UPnP services to inject malicious routes inside the router's NAT (Network Address Translation) tables。

简化为：hackers have been abusing...to do sth.

2、a set of rules that controls

同位语从句，a set of rules 即为： the router's NAT tables。

3、how IPs and ports from the router's internal network are mapped to the network above (usually the Internet)

简化为：how IPs and ports are mapped to the network above.

句子长的话，记得拆分开来，就好理解了！

These custom NAT rules allow an attacker to connect to the router's public IP on a specific port, but get redirected automatically to another IP:port combination.

这些自定义 NAT 规则虽然使得攻击者能够连接到路由器某个端口的公开 IP 地址，但被自动重定向到另外一个 IP:port 组合。

custom 这个词常见的意思有海关、风俗、习惯，都是名词

但在这里明显不是这个意思，在计算机领域，custom为形容词，指“自定义的，定制的”

In other words, this flaw allows attackers to use routers with misconfigured UPnP services as proxy servers for their operations —hence the reason Akamai codenamed this issue UPnProxy.

换句话说，这个缺陷使得攻击者将配置错误的 UPnP 服务的路由器用作实施操作的代理服务器，这也是 Akamai 将该漏洞问题命名为 “UPnProxy” 的原因。

又遇到这个词了，我们来回顾一下表达漏洞的几个词：flaw、vulnerability

Hackers can exploit UPnProxy to bypass firewalls and access internal IP addresses...

黑客能够利用 UPnProxy 绕过防火墙并访问内部IP 地址。

... or use the router to redirect the request to an entirely new IP address or domain name.

或者使用路由器将请求重定向至一个全新的 IP 地址或域名。

UPnProxy is a serious flaw because it allows an attacker to access the login panel of routers that do not usually expose their backend on the Internet. UPnProxy would redirect a request for [public_IP]:[custom_port] to the router's backend panel hosted on an internal, restricted IP address.

UPnProxy 是一个严重的漏洞，因为它导致攻击者能够访问通常会将后端暴露到互联网上的路由器登录面板。UPnProxy 将把对 [public_IP]:[custom_port] 的请求重定向至托管于内部且不受限制的 IP 地址的路由器的后端面板上。

又遇到access了，上一篇文章我们有讲到access，那你还记得access是什么意思吗？

几个常见词组：

login panel：登录面板

backend：后端

frontend：前端

Such routers, despite having weak credentials, weren't previously susceptible to brute-force attacks because their admin panel is harder (and sometimes impossible) to reach by an Internet attacker. UPnProxy now lets attackers carry out brute-force attacks against the backend panels of any device on an internal network.

这类路由器虽然具有弱凭证，但由于它们的管理员面板更难以（有时候根本不可能）由互联网攻击者接触，因此此前并不容易遭暴力攻击。UPnProxy 目前可导致攻击者针对内部网络中任何设备的后端面板发动暴力攻击。

UPnProxy abused by at least one APT

UPnProxy 至少遭一个 APT 滥用

In addition, because UPnProxy can be abused to bounce traffic to any other IP address, the flaw can be used to create an entwined network of proxies that redirect traffic through tens or hundreds of IPs before reaching a final destination.

另外，由于 UPnProxy 可遭滥用，将流量路由到其它任何 IP 地址，因此这个漏洞能用于创建复杂的代理网络，在流量到达最终目的地之前将其重定向至数十个或数百个 IP 地址。

Such a feature could be abused to mask the location of spam campaigns, phishing pages, advertising click fraud, and for DDoS attacks. Because of this, UPnProxy is ideal for botnet operators, cybercrime-related activity, but also for cyber-espionage as well.

这类功能可滥用于掩藏垃圾邮件活动、钓鱼页面、广告点击欺诈和 DDoS 攻击的地理位置。因此，UPnProxy 不仅是僵尸网络操纵者和网络犯罪人员也是网络间谍组织的理想之选。

In a separate report, Symantecreportedseeing a nation-state-backed actor codenamed "Inception Framework" utilizing the UPnProxy technique to hide their real location behind a cloud of proxies.

赛门铁克还发布过报道称，检测到国家黑客组织 “Inception Framwork” 利用这种 UPnProxy 技术将自己的真实位置信息隐藏在代理云中。

Over 4.8 million routers potentially vulnerable

超过480万台路由器易受攻击

Akamai says it detected over 4.8 million routers that expose various UPnP services via the WAN interface. Of these, Akamai experts say they've identified active NAT injections on over 65,000 of these devices, meaning these routers have already been compromised and are actively being used to reroute traffic without the device owner's consent or knowledge.

Akamai 公司指出，检测到480多万台路由器经由 WAN 接口暴露了多种 UPnP 服务。其中从6.5万台设备中发现了活跃的 NAT 注入，也就是说这些路由器已遭攻陷，而且在未经设备所有人同意或知情的情况下被用于重定向流量。

Identifying compromised or vulnerable routers is not a trivial operation unless the device owner can find and audit the router's NAT tables, a task that's out of the reach of almost 99.99% of all SOHO router owners.

找到受攻陷或易受攻击的路由器并非易事，除非设备所有人能够找到并审计路由器的 NAT 表，而这一任务对于几乎99.99%的 SOHO 路由所有人而言是不可能完成的。

out of the reach 力所不能及的；无法理解的；无法达到的

out of reach of

这个在说明书上很常见，如：

Keep this container out of the reach of children and pets.

将此容器放置在儿童和宠物无法够到的地方。

To help users, Akamai has compiled a list of 400 router models from 73 vendors that they identified as exposing UPnP services via the WAN interface, and which they suspect may be vulnerable to UPnProxy attacks.

为此，Akamai 已编译了来自73家供应商的400款路由器机型，这些机型均被指经由 WAN 界面暴露 UPnP 服务，而且可能易受 UPnProxy 攻击。

vendor n. 卖主；销售商

eg：

leading software vendors 主要软件销售商

Mitigating UPnProxy attacks would require a massive effort from all affected vendors. This would imply releasing firmware updates that correct UPnP configs to stop exposing UPnP services via WAN interfaces. In the meantime, the only advice Akamai was able to provide was that users replace existing router models with one not found on their list.

要缓解 UPnProxy 攻击，所有受影响的供应商需要付出大量努力，也就是说必须发布固件更新修正 UPnP 配置以阻止 UPnP 服务经由 WAN 接口被暴露。同时，Akamai 给出的唯一建议是用不在清单上的路由器机型替换现有的路由器机型。

config 

[kən'fɪg]

n. 配置，布局；显示配置信息命令

eg ：Config Files  配置文件

同：configuration

replace A with B    把A 替换为B

eg：

Replace original with update 

以新文件替换原文件

In addition, the company also provided a Bash script that can identify vulnerable or actively exploited routers, albeit this script won't be useful unless users know how to connect to their router's terminal via SSH, run and interpret the results of a Bash script.

另外，Akamai 还提供了一个 Bash 脚本用于识别易受攻击或遭活跃利用的路由器，尽管该脚本只有在用户在知道如何通过 SSH 连接到自己的路由器终端、运行并解释 Bash 脚本的结果的前提下才起作用。

terminal

[tɝ​mənl]

n. 末端；终点；终端机；极限，在计算机领域，指“ 终端 ”

回顾一下 前端、后端，分别是？

欢迎大家回帖交流~

上一篇回顾：

关于4月周二补丁日，你需要知道的几件事 

原文：bleepingcomputer（点击查看）

翻译：360代码卫士

本文由看雪翻译小组 哆啦咪 整理编辑，转载请注明来自看雪论坛

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课