Security News > 2021 > January > Hundreds of Networks Still Host Devices Infected With VPNFilter Malware
The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.
Identified in 2018 and mainly focusing on Ukraine, VPNFilter rose to fame quickly due to the targeting of a large number of routers and network-attached storage devices from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZTE. Believed to be operated by Russian threat actor Sofacy, with possible involvement from Sandworm, VPNFilter emerged as a major threat right from the start: 50 impacted device models, the potential to compromise critical infrastructure, and approximately 500,000 bots observed across 54 countries.
Deep analysis of the malware revealed extensive capabilities: various modules allow it to map networks, exploit endpoints connected to infected devices, exfiltrate data, encrypt communications with the command and control server, find additional victims, and create a network of proxies for future abuse.
Data gathered from the sinkhole shows that 5,447 unique devices are still connecting to the domain, meaning that they are still infected.
The security researchers also decided to check if it would be possible to feed a new IP address to infected devices, to see how many of them were still waiting for a second-stage payload. They crafted a packet, sent it, and noticed that 1,801 networks did respond to it, while 363 of the networks reached back to the sinkhole on port TCP 443.
"Although only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave us an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our sinkhole could have been blocked if they are behind a firewall," Trend Micro says.