{"id":39316,"date":"2021-01-27T20:26:11","date_gmt":"2021-01-27T20:26:11","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/"},"modified":"2021-01-27T20:26:11","modified_gmt":"2021-01-27T20:26:11","slug":"knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/","title":{"rendered":"Knock, knock. Who&#8217;s there? NAT. Nat who? A NAT URL-borne killer"},"content":{"rendered":"<p><span data-label=\"video\">Video<\/span> Ben Seri and Gregory Vishnepolsky, threat researchers at Armis, have found a way to expand upon the NAT Slipstream attack disclosed last year by Samy Kamkar, CSO of Openpath Security.<\/p>\n<p>The original <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/11\/02\/application_level_gateway_flaw\/\" rel=\"noopener noreferrer\">NAT Slipstream<\/a> potentially allowed a miscreant to access any TCP\/UDP service tied to a victim&#8217;s machine by bypassing the victim&#8217;s NAT (Network Address Translation) and firewall defenses. It can be triggered via JavaScript code on a malicious website.<\/p>\n<div class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",button,mpu,\" data-sm=\",button,mpu,\" data-md=\",button,banner_plus,mpu\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>NAT Slipstream v2 takes the technique further by allowing a hacker to penetrate a vulnerable NAT\/firewall and reach any internal IP on the network, rather than just the IP address of the victim&#8217;s device.<\/p>\n<div class=\"promo_article\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2020\/02\/26\/shutterstock_firewall_broken.jpg?x=174&amp;y=115&amp;crop=1\" width=\"174\" height=\"115\" alt=\"Illustration of firewall breaking\"><\/p>\n<h2 title=\"Abuse packet sizes to fool vulnerable application-level gateways\">We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through<\/h2>\n<p><a href=\"https:\/\/www.theregister.com\/2020\/11\/02\/application_level_gateway_flaw\/\"><span>READ MORE<\/span><\/a><\/div>\n<div class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",button,mpu_plusplus,\" data-sm=\",button,mpu_plusplus,\" data-md=\",button,mpu_plusplus,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>In other words, it may expose every connected thing on a targeted network \u2013 printers, video cameras, industrial control systems, and other unmanaged hardware \u2013 to the internet. Such devices, which generally lack security controls, may then be compromised and commandeered or otherwise abused.<\/p>\n<p>Version one of the attack involves using malicious JavaScript code that sends traffic to the victim&#8217;s machine using a protocol that traverses NAT and obtains the IP address of the victim&#8217;s computer. The script then builds an outbound HTTP POST request that tries to initiate a SIP video-conferencing session. The victim&#8217;s vulnerable NAT\/firewall&#8217;s Application Level Gateway (ALG) then opens an external port to the victim&#8217;s device.<\/p>\n<p>When Kamkar corresponded with <i>The Register<\/i> last year, he noted that browsers support protocols like WebRTC <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/WebRTC_API\/Protocols\">TURN<\/a> (Traversal Using Relays around NAT) that evade port blocks and might be useful for further attacks.<\/p>\n<h3 class=\"crosshead\"> <span>You were warned<\/span><br \/>\n<\/h3>\n<p>NAT Slipstream v2 validates that supposition. It relies on H.323, a VoIP protocol similar to SIP, and WebRTC TURN.<\/p>\n<p>&#8220;The new variant to the NAT Slipstreaming attack is comprised of two primitives, the first explores the H.323 ALG, and the second expands the attack surface of the various NAT ALGs reachable from a browser, by abusing the WebRTC TURN server API via JavaScript,&#8221; explain Seri and Vishnepolsky in a <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/www.armis.com\/resources\/iot-security-blog\/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet\/#details\">blog post<\/a>.<\/p>\n<p>The process is demonstrated in this video:<\/p>\n<p> <a href=\"https:\/\/www.youtube.com\/watch?v=M-6ppoYDEV4\" data-media=\"x-videoplayer\">Youtube Video<\/a>\n<\/p>\n<p>But Seri and Vishnepolsky add that the risk presented by this attack depends upon how the traffic gets handled and the specific implementation of the targeted system because not all NATs provide ALGs nor enable them by default.<\/p>\n<p>On Linux 4.14 and above, they observe, the exploited ALG behavior is disabled by default for security reasons. At the same time, they point out that consumer-grade routers rely on older Linux versions and some Linux-based products re-activate the vulnerable behavior. They said that OpenWRT, a Linux based router distribution using the 4.1 kernel, is not affected, but &#8220;most routers\/NATs\/firewalls are affected at least in some way.&#8221;<\/p>\n<p>The researchers disclosed their findings to the major browser vendors back in November 2020, and patches, consisting of port restrictions, have been deployed since then.<\/p>\n<p>Chrome&#8217;s fix arrived in <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/chromereleases.googleblog.com\/2021\/01\/stable-channel-update-for-desktop.html\">v87.0.4280.141<\/a>, on January 6, 2021. Microsoft Edge also deployed its fix, in <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-us\/vulnerability\/ADV200002\">v87.0.664.75<\/a>, Apple released <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/support.apple.com\/en-us\/HT201222\">Safari v14.0.3 beta<\/a>, with a stable channel release expected soon. And Mozilla&#8217;s fixed up <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/01\/27\/firefox_85_crumbles_supercookies\/\" rel=\"noopener noreferrer\">Firefox 85<\/a> arrived on Tuesday, January 26.<\/p>\n<p>Seri and Vishnepolsky expressed doubt that these defenses will be the end of this particular attack vector. NATs, they say, were designed at a time when security was not a priority.<\/p>\n<div class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",button,dbutton,mpu_plus,dmpu,\" data-sm=\",button,dbutton,mpu_plus,dmpu,\" data-md=\",button,dbutton,mpu_plus,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;Legacy requirements such as ALGs, are still a dominant theme in the design of NATs, today, and are the primary reason bypassing attacks are found again and again,&#8221; they conclude. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2021\/01\/27\/nat_slipstream_bypass\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last year&#8217;s slipstream technique revived to pierce vulnerable firewalls \u2013 browsers patched to thwart bypass attempts Video\u00a0 Ben Seri and Gregory Vishnepolsky, threat researchers at Armis, have found a way to expand upon the NAT Slipstream attack disclosed last year by Samy Kamkar, CSO of Openpath Security.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-39316","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Knock, knock. Who&#039;s there? NAT. Nat who? A NAT URL-borne killer 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Knock, knock. Who&#039;s there? NAT. Nat who? A NAT URL-borne killer 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-01-27T20:26:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Knock, knock. Who&#8217;s there? NAT. Nat who? A NAT URL-borne killer\",\"datePublished\":\"2021-01-27T20:26:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/\"},\"wordCount\":605,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/\",\"name\":\"Knock, knock. Who's there? NAT. Nat who? A NAT URL-borne killer 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2021-01-27T20:26:11+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Knock, knock. Who&#8217;s there? NAT. Nat who? A NAT URL-borne killer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Knock, knock. Who's there? NAT. Nat who? A NAT URL-borne killer 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/","og_locale":"en_US","og_type":"article","og_title":"Knock, knock. Who's there? NAT. Nat who? A NAT URL-borne killer 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-01-27T20:26:11+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Knock, knock. Who&#8217;s there? NAT. Nat who? A NAT URL-borne killer","datePublished":"2021-01-27T20:26:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/"},"wordCount":605,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/","url":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/","name":"Knock, knock. Who's there? NAT. Nat who? A NAT URL-borne killer 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2021-01-27T20:26:11+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YBIYfYAKwsYuVRyV57i3BAAAAAo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/knock-knock-whos-there-nat-nat-who-a-nat-url-borne-killer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Knock, knock. Who&#8217;s there? NAT. Nat who? A NAT URL-borne killer"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=39316"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39316\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=39316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=39316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=39316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}