Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Hundreds of Networks Still Host Devices Infected With VPNFilter Malware

The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.

The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.

Identified in 2018 and mainly focusing on Ukraine, VPNFilter rose to fame quickly due to the targeting of a large number of routers and network-attached storage (NAS) devices from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZTE.

Believed to be operated by Russian threat actor Sofacy, with possible involvement from Sandworm, VPNFilter emerged as a major threat right from the start: 50 impacted device models, the potential to compromise critical infrastructure, and approximately 500,000 bots observed across 54 countries.

Deep analysis of the malware revealed extensive capabilities: various modules allow it to map networks, exploit endpoints connected to infected devices, exfiltrate data, encrypt communications with the command and control (C&C) server, find additional victims, and create a network of proxies for future abuse.

VPNFilter first attempts to obtain the address of its C&C server from an image hosted on Photobucket. If that fails, it attempts to obtain the C&C address from toknowall[.]com, and if that also fails, it monitors incoming packets for a specially crafted TCP packet containing the IP of the C&C server.

In an effort to determine whether the botnet continues to pose a real threat after more than two years since the initial attacks, Trend Micro’s security researchers reached out to the Shadowserver Foundation, which, in collaboration with Cisco Talos, the FBI, and the US Department of Justice, has sinkholed toknowall[.]com.

Data gathered from the sinkhole shows that 5,447 unique devices are still connecting to the domain, meaning that they are still infected. The number of infections, however, is believed to be higher, as the domain might be blocked at DNS level.

“It is important to remember that because these are routers and other similar types of devices, this number also represents thousands of infected networks, not simply individual machines. This means that the reach and visibility for attackers with a botnet like this can be substantial,” Trend Micro says.

The security researchers also decided to check if it would be possible to feed a new IP address to infected devices, to see how many of them were still waiting for a second-stage payload. They crafted a packet, sent it, and noticed that 1,801 networks did respond to it, while 363 of the networks reached back to the sinkhole on port TCP 443.

“Although only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave us an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our sinkhole could have been blocked if they are behind a firewall,” Trend Micro says.

The networks that reached out, the researchers say, can easily be taken over by any threat actor with knowledge of how the VPNFilter malware works, and there’s nothing to prevent that, from a technical perspective. The original actor too can regain control of these devices at any point in time, the researchers say.

The problem, Trend Micro explains, could be addressed through firmware updates, especially since the malware has been around for so long, and solutions to remedy infections do exist. Simply restarting the infected devices, however, won’t solve the issue, as initially believed.

VPNFilter, the researchers believe, will continue to lurk around until the infected devices are replaced, as many of them lack an automated firmware update system, meaning that users have to manually update them, provided that they indeed have access to the routers to perform the update and that the vendor has issued a patch.

Related: FBI Attribution of ‘VPNFilter’ Attack Raises Questions

Related: Industrial IoT: Protecting the Physical World from Cyber Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.