Cybersecurity researchers at watchTowr have uncovered a disturbing revelation – over 4,000 live hacker backdoors exploiting abandoned infrastructure and expired domains. These backdoors, which act as pre-existing entry points on compromised systems, have allowed new threat actors to exploit previous breaches, potentially leading to devastating consequences for various government and educational institutions around the world.
The investigation initiated by watchTowr involved registering more than 40 expired domains previously utilized by hackers and setting up logging servers to monitor incoming requests. This meticulous approach resulted in the collection of 300MB of data, unveiling a wide network of compromised hosts, including government-owned systems in countries like Bangladesh, China, and Nigeria. The findings shed light on the concerning trend of attackers leveraging abandoned backdoors left by other hackers, essentially enabling a scenario termed as “hacking-on-autopilot.”
One particularly noteworthy discovery from the research was a backdoor associated with the infamous Lazarus Group, a hacking collective linked to North Korea. This specific backdoor was found to be present in over 3,900 unique compromised domains, allowing the hackers to leak the location of the compromised systems by loading a .gif image from the logging server.
To delve deeper into the technical aspects of these findings, it is crucial to understand the concept of web shells. These small pieces of code, known as web shells, are discreetly placed on web servers post a successful breach, serving as remote control panels for attackers. Historically, many of these web shells included mechanisms that established communication with specific domains controlled by the attacker. However, when these domains expired and were re-registered by others, the communication links were unwittingly redirected, exposing compromised systems to unexpected recipients.
In some instances, older web shell versions like the “r57shell” and “c99shell” still remain in use, showcasing inherent vulnerabilities that could be exploited by both attackers and original authors. This complex interplay underscores the chaotic approach to security within the hacking community itself, inadvertently leading to compromised systems and sensitive data leaks.
Furthermore, the research report from watchTowr emphasizes the critical need for responsible infrastructure management and heightened awareness regarding the risks associated with abandoned and expired domains. The vulnerability of government institutions, as evidenced by compromised systems in entities like the Federal High Court of Nigeria, underscores the urgency of addressing these security lapses.
As the watchTowr team issues warnings about the persistent nature of such problems and their impact on software updates, cloud infrastructure, and SSLVPN appliances, the imperative for proactive measures to safeguard against cyber threats becomes increasingly apparent. Additionally, the collaboration with The Shadowserver Foundation to sinkhole the implicated domains underscores the significance of collaborative efforts in mitigating potential risks and preventing further exploitation.
In conclusion, the research conducted by watchTowr serves as a stark reminder of the evolving landscape of cybersecurity threats and the imperative for continuous vigilance and proactive measures to safeguard against malicious activities targeting vulnerable systems. By shedding light on the exploitation of abandoned backdoors and expired domains, this research underscores the critical importance of proactive security measures and responsible infrastructure management in safeguarding against cyber threats in an increasingly interconnected digital environment.