HomeSecurity OperationsNumerous Live Hacker Backdoors Discovered in Expired Domains

Numerous Live Hacker Backdoors Discovered in Expired Domains

Published on

spot_img

Cybersecurity researchers at watchTowr have uncovered a disturbing revelation – over 4,000 live hacker backdoors exploiting abandoned infrastructure and expired domains. These backdoors, which act as pre-existing entry points on compromised systems, have allowed new threat actors to exploit previous breaches, potentially leading to devastating consequences for various government and educational institutions around the world.

The investigation initiated by watchTowr involved registering more than 40 expired domains previously utilized by hackers and setting up logging servers to monitor incoming requests. This meticulous approach resulted in the collection of 300MB of data, unveiling a wide network of compromised hosts, including government-owned systems in countries like Bangladesh, China, and Nigeria. The findings shed light on the concerning trend of attackers leveraging abandoned backdoors left by other hackers, essentially enabling a scenario termed as “hacking-on-autopilot.”

One particularly noteworthy discovery from the research was a backdoor associated with the infamous Lazarus Group, a hacking collective linked to North Korea. This specific backdoor was found to be present in over 3,900 unique compromised domains, allowing the hackers to leak the location of the compromised systems by loading a .gif image from the logging server.

To delve deeper into the technical aspects of these findings, it is crucial to understand the concept of web shells. These small pieces of code, known as web shells, are discreetly placed on web servers post a successful breach, serving as remote control panels for attackers. Historically, many of these web shells included mechanisms that established communication with specific domains controlled by the attacker. However, when these domains expired and were re-registered by others, the communication links were unwittingly redirected, exposing compromised systems to unexpected recipients.

In some instances, older web shell versions like the “r57shell” and “c99shell” still remain in use, showcasing inherent vulnerabilities that could be exploited by both attackers and original authors. This complex interplay underscores the chaotic approach to security within the hacking community itself, inadvertently leading to compromised systems and sensitive data leaks.

Furthermore, the research report from watchTowr emphasizes the critical need for responsible infrastructure management and heightened awareness regarding the risks associated with abandoned and expired domains. The vulnerability of government institutions, as evidenced by compromised systems in entities like the Federal High Court of Nigeria, underscores the urgency of addressing these security lapses.

As the watchTowr team issues warnings about the persistent nature of such problems and their impact on software updates, cloud infrastructure, and SSLVPN appliances, the imperative for proactive measures to safeguard against cyber threats becomes increasingly apparent. Additionally, the collaboration with The Shadowserver Foundation to sinkhole the implicated domains underscores the significance of collaborative efforts in mitigating potential risks and preventing further exploitation.

In conclusion, the research conducted by watchTowr serves as a stark reminder of the evolving landscape of cybersecurity threats and the imperative for continuous vigilance and proactive measures to safeguard against malicious activities targeting vulnerable systems. By shedding light on the exploitation of abandoned backdoors and expired domains, this research underscores the critical importance of proactive security measures and responsible infrastructure management in safeguarding against cyber threats in an increasingly interconnected digital environment.

Source link

Latest articles

DOJ charges North Korean operatives for remote IT work plot

The recent announcement from the US Department of Justice has brought to light a...

Digital and Cybersecurity Governance for Boards in 2025

In the year 2024, significant strides were made in digital, cybersecurity, and systemic risk...

Hacking the hackers: Russian group takes over Iranian spying operation, officials reveal – Reuters.com

In a recent turn of events, officials have revealed that a Russian hacking group...

Urgent Patch Needed for Critical Meeting Management Bug

In recent news, Cisco has addressed a critical vulnerability in its Cisco Meeting Management...

More like this

DOJ charges North Korean operatives for remote IT work plot

The recent announcement from the US Department of Justice has brought to light a...

Digital and Cybersecurity Governance for Boards in 2025

In the year 2024, significant strides were made in digital, cybersecurity, and systemic risk...

Hacking the hackers: Russian group takes over Iranian spying operation, officials reveal – Reuters.com

In a recent turn of events, officials have revealed that a Russian hacking group...