Originally posted November 2018, updated in 2022 \r\n Overview \r\n \r\n UPnProxy is alive and well. There are 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Of those, Akamai can confirm that more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign. These injections expose machines living behind the router to the Internet and appear to target the service ports used by SMB.   \r\n \r\n Background \r\n Earlier this year,  Akamai researchers reported on how Universal Plug and Play (UPnP) was being abused  by attackers to conceal traffic, creating a malicious proxy system we've called UPnProxy. Because UPnProxy can be leveraged to route an attacker's traffic at will, there is a serious risk that this flaw can be leveraged in a number of attacks, including spam, phishing, click fraud, and DDoS. \r\n Now, six months later, we're seeing evidence that UPnProxy alive and well.…