Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Hundreds of Networks Still Host Devices Infected With VPNFilter Malware

The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.

The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.

Identified in 2018 and mainly focusing on Ukraine, VPNFilter rose to fame quickly due to the targeting of a large number of routers and network-attached storage (NAS) devices from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZTE.

Believed to be operated by Russian threat actor Sofacy, with possible involvement from Sandworm, VPNFilter emerged as a major threat right from the start: 50 impacted device models, the potential to compromise critical infrastructure, and approximately 500,000 bots observed across 54 countries.

Deep analysis of the malware revealed extensive capabilities: various modules allow it to map networks, exploit endpoints connected to infected devices, exfiltrate data, encrypt communications with the command and control (C&C) server, find additional victims, and create a network of proxies for future abuse.

VPNFilter first attempts to obtain the address of its C&C server from an image hosted on Photobucket. If that fails, it attempts to obtain the C&C address from toknowall[.]com, and if that also fails, it monitors incoming packets for a specially crafted TCP packet containing the IP of the C&C server.

In an effort to determine whether the botnet continues to pose a real threat after more than two years since the initial attacks, Trend Micro’s security researchers reached out to the Shadowserver Foundation, which, in collaboration with Cisco Talos, the FBI, and the US Department of Justice, has sinkholed toknowall[.]com.

Data gathered from the sinkhole shows that 5,447 unique devices are still connecting to the domain, meaning that they are still infected. The number of infections, however, is believed to be higher, as the domain might be blocked at DNS level.

“It is important to remember that because these are routers and other similar types of devices, this number also represents thousands of infected networks, not simply individual machines. This means that the reach and visibility for attackers with a botnet like this can be substantial,” Trend Micro says.

The security researchers also decided to check if it would be possible to feed a new IP address to infected devices, to see how many of them were still waiting for a second-stage payload. They crafted a packet, sent it, and noticed that 1,801 networks did respond to it, while 363 of the networks reached back to the sinkhole on port TCP 443.

“Although only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave us an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our sinkhole could have been blocked if they are behind a firewall,” Trend Micro says.

The networks that reached out, the researchers say, can easily be taken over by any threat actor with knowledge of how the VPNFilter malware works, and there’s nothing to prevent that, from a technical perspective. The original actor too can regain control of these devices at any point in time, the researchers say.

The problem, Trend Micro explains, could be addressed through firmware updates, especially since the malware has been around for so long, and solutions to remedy infections do exist. Simply restarting the infected devices, however, won’t solve the issue, as initially believed.

VPNFilter, the researchers believe, will continue to lurk around until the infected devices are replaced, as many of them lack an automated firmware update system, meaning that users have to manually update them, provided that they indeed have access to the routers to perform the update and that the vendor has issued a patch.

Related: FBI Attribution of ‘VPNFilter’ Attack Raises Questions

Related: Industrial IoT: Protecting the Physical World from Cyber Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...