The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.
Identified in 2018 and mainly focusing on Ukraine, VPNFilter rose to fame quickly due to the targeting of a large number of routers and network-attached storage (NAS) devices from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZTE.
Believed to be operated by Russian threat actor Sofacy, with possible involvement from Sandworm, VPNFilter emerged as a major threat right from the start: 50 impacted device models, the potential to compromise critical infrastructure, and approximately 500,000 bots observed across 54 countries.
Deep analysis of the malware revealed extensive capabilities: various modules allow it to map networks, exploit endpoints connected to infected devices, exfiltrate data, encrypt communications with the command and control (C&C) server, find additional victims, and create a network of proxies for future abuse.
VPNFilter first attempts to obtain the address of its C&C server from an image hosted on Photobucket. If that fails, it attempts to obtain the C&C address from toknowall[.]com, and if that also fails, it monitors incoming packets for a specially crafted TCP packet containing the IP of the C&C server.
In an effort to determine whether the botnet continues to pose a real threat after more than two years since the initial attacks, Trend Micro’s security researchers reached out to the Shadowserver Foundation, which, in collaboration with Cisco Talos, the FBI, and the US Department of Justice, has sinkholed toknowall[.]com.
Data gathered from the sinkhole shows that 5,447 unique devices are still connecting to the domain, meaning that they are still infected. The number of infections, however, is believed to be higher, as the domain might be blocked at DNS level.
“It is important to remember that because these are routers and other similar types of devices, this number also represents thousands of infected networks, not simply individual machines. This means that the reach and visibility for attackers with a botnet like this can be substantial,” Trend Micro says.
The security researchers also decided to check if it would be possible to feed a new IP address to infected devices, to see how many of them were still waiting for a second-stage payload. They crafted a packet, sent it, and noticed that 1,801 networks did respond to it, while 363 of the networks reached back to the sinkhole on port TCP 443.
“Although only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave us an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our sinkhole could have been blocked if they are behind a firewall,” Trend Micro says.
The networks that reached out, the researchers say, can easily be taken over by any threat actor with knowledge of how the VPNFilter malware works, and there’s nothing to prevent that, from a technical perspective. The original actor too can regain control of these devices at any point in time, the researchers say.
The problem, Trend Micro explains, could be addressed through firmware updates, especially since the malware has been around for so long, and solutions to remedy infections do exist. Simply restarting the infected devices, however, won’t solve the issue, as initially believed.
VPNFilter, the researchers believe, will continue to lurk around until the infected devices are replaced, as many of them lack an automated firmware update system, meaning that users have to manually update them, provided that they indeed have access to the routers to perform the update and that the vendor has issued a patch.