Last month we learned about a new vulnerability dubbed “CallStranger” which shows how UPnP can be used to exfiltrate data and perform DDoS amplification attacks. Billions of devices are vulnerable.
Essentially, an attacker can use the UPnP
SUBSCRIBE mechanism to force a
device to connect to an arbitrary URL.
Taking it for a spin
We loaded up their plugin in CloudShark’s new Zeek Logs analysis tool and took it for a spin!
Using our new Zeek Logs analysis tool in CloudShark we can see the new Notice entry that the Corelight plugin is creating!
Take a moment to look around CloudShark at the other Zeek logs that are created.
Get back to the packets
In the log view, clicking on a row will open a dialog with all the details for that row. From there you can click on the “View Packets” button to expose the raw packets related to that Zeek notice! You can also jump straight to the Follow Stream here.
What did we learn? UPnP is bad, Zeek is good, and CloudShark brings you the tools to understand network traffic and communicate your findings.
Have an awesome day.
Want articles like this delivered right to your inbox?Sign up for our Newsletter
No spam, just good networking.