Thousands of networks still have devices infected with infamous VPNFilter malware, which caused a stir in cybersecurity community in 2018, a new research from Trend Micro reveals.
Mainly focused on Ukraine, the malware designed to infect routers and certain network attached storage devices had gathered attention due to the targeting of over 50 device models, including those from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZTE. It can steal data, contains a "kill switch" designed to disable the infected router on command, can monitor Modbus SCADA protocols and is able to persist should the user reboot the router. The FBI believes that the malware was developed by the Fancy Bear APT group thought to be linked to Russia. According to the estimates, as of May 2018, at least 500,000 devices in 54 countries were infected with this malware.
“While VPNFilter gained considerable attention and became a threat when it was first discovered, this happened back in 2018. This means that several mitigation tactics have already been used to render VPNFilter essentially offline. With domain seizures and every action taken to stop the malware, therefore, it is worth asking why there are still infections out there,” Trend Micro said.
To determine whether the VPNFilter botnet still remains a serious threat, the researchers have reached out to The Shadowserver Foundation, a nonprofit security organization, which together with Cisco Talos, the FBI, and the US Department of Justice sinkholed one of the VPNFilter’s command and control domains (toknowall[.]com).
“When Shadowserver started the sinkhole, they saw an initial spike of over 14,000 networks infected in the first two months; over time, that has been reduced to 5,447. This shows that even after over two years, there is still a sizeable number of infections left. Most notably, at this rate, the infections will likely still be around for years to come, until perhaps these devices are physically swapped out — a common trend in IoT botnets,” the researchers wrote.
The highest numbers of infections have been seen in Ukraine (18.42%), the US (14.48%), Italy (10.26%), the United Kingdom (8.05%), France (7.26%), and Taiwan (5.31%).
The security researchers also decided to check how many infected hosts would respond to a new C&C IP address controlled by them and how many of the devices were still waiting for a second-stage payload. For this purpose the researchers crafted a packet containing the IP address of the second stage server and sent it. The result was that 1,801 networks did respond to it, while 363 of the networks reached back to the sinkhole on port TCP 443.
“Although only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave us an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our sinkhole could have been blocked if they are behind a firewall,” the researchers said.
“While it's not likely to have the malicious actor still on infected systems, the malware can still have a potential negative impact. With just a bit of understanding, another malicious actor can have the botnet reactivated,” Trend Micro warned.