Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Hundreds of Networks Still Host Devices Infected With VPNFilter Malware

The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.

The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.

Identified in 2018 and mainly focusing on Ukraine, VPNFilter rose to fame quickly due to the targeting of a large number of routers and network-attached storage (NAS) devices from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZTE.

Believed to be operated by Russian threat actor Sofacy, with possible involvement from Sandworm, VPNFilter emerged as a major threat right from the start: 50 impacted device models, the potential to compromise critical infrastructure, and approximately 500,000 bots observed across 54 countries.

Deep analysis of the malware revealed extensive capabilities: various modules allow it to map networks, exploit endpoints connected to infected devices, exfiltrate data, encrypt communications with the command and control (C&C) server, find additional victims, and create a network of proxies for future abuse.

VPNFilter first attempts to obtain the address of its C&C server from an image hosted on Photobucket. If that fails, it attempts to obtain the C&C address from toknowall[.]com, and if that also fails, it monitors incoming packets for a specially crafted TCP packet containing the IP of the C&C server.

In an effort to determine whether the botnet continues to pose a real threat after more than two years since the initial attacks, Trend Micro’s security researchers reached out to the Shadowserver Foundation, which, in collaboration with Cisco Talos, the FBI, and the US Department of Justice, has sinkholed toknowall[.]com.

Data gathered from the sinkhole shows that 5,447 unique devices are still connecting to the domain, meaning that they are still infected. The number of infections, however, is believed to be higher, as the domain might be blocked at DNS level.

“It is important to remember that because these are routers and other similar types of devices, this number also represents thousands of infected networks, not simply individual machines. This means that the reach and visibility for attackers with a botnet like this can be substantial,” Trend Micro says.

Advertisement. Scroll to continue reading.

The security researchers also decided to check if it would be possible to feed a new IP address to infected devices, to see how many of them were still waiting for a second-stage payload. They crafted a packet, sent it, and noticed that 1,801 networks did respond to it, while 363 of the networks reached back to the sinkhole on port TCP 443.

“Although only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave us an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our sinkhole could have been blocked if they are behind a firewall,” Trend Micro says.

The networks that reached out, the researchers say, can easily be taken over by any threat actor with knowledge of how the VPNFilter malware works, and there’s nothing to prevent that, from a technical perspective. The original actor too can regain control of these devices at any point in time, the researchers say.

The problem, Trend Micro explains, could be addressed through firmware updates, especially since the malware has been around for so long, and solutions to remedy infections do exist. Simply restarting the infected devices, however, won’t solve the issue, as initially believed.

VPNFilter, the researchers believe, will continue to lurk around until the infected devices are replaced, as many of them lack an automated firmware update system, meaning that users have to manually update them, provided that they indeed have access to the routers to perform the update and that the vendor has issued a patch.

Related: FBI Attribution of ‘VPNFilter’ Attack Raises Questions

Related: Industrial IoT: Protecting the Physical World from Cyber Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.