Thousands of Live Hacker Backdoors Found in Expired Domains


SUMMARY

  • Cybersecurity firm watchTowr discovered over 4,000 active hacker backdoors relying on expired domain names.
  • These backdoors are pre-existing entry points on already compromised systems, allowing new actors to exploit previous breaches.
  • By registering these expired domains, watchTowr observed compromised systems “phoning home,” including government hosts in multiple countries.
  • The research highlights a concerning trend of attackers exploiting abandoned backdoors left by other hackers, creating a “hacking-on-autopilot” scenario.
  • Many older web shells, tools used for remote access, contain built-in mechanisms that unintentionally expose compromised systems through callbacks to now-expired domains.

Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains. These backdoors, hidden in compromised systems worldwide, have exposed a huge network of vulnerable government and educational institutions.

The investigation began when watchTowr registered over 40 expired domains, previously used by hackers, and set up logging servers to track incoming requests. The team collected 300MB of data, revealing a network of compromised hosts, including government-owned systems in Bangladesh, China, Nigeria, and more.

The researchers discovered that hackers had been using these abandoned backdoors to gain access to thousands of systems, without investing effort in identifying and compromising them. This technique has been termed by researchers as a “mass-hacking-on-autopilot” approach, allowing hackers to commandeer and control compromised hosts, potentially leading to devastating consequences.

One notable example, according to watchTowr’s technical report shared with Hackread.com, is a backdoor linked to the Lazarus Group, a notorious hacking collective associated with North Korea. The researchers found over 3,900 unique compromised domains using this backdoor, which was designed to load a .gif image from the logging server, leaking the location of the compromised system.

Simple Explanation

To understand this better, consider the concept of a “web shell.” These are essentially small snippets of code secretly placed on a web server after a successful breach. They act as remote control panels, allowing attackers to execute commands, manage files, and even deploy further malicious tools.

Historically, these web shells often included mechanisms that “phoned home” to a specific domain or server controlled by the attacker. When that domain expires and is re-registered by someone else, those “phone calls” are now answered by an unexpected recipient.

Older web shells, like the infamous “r57shell” and “c99shell,” while outdated, still appear to be in use. Interestingly, some of these older shells even contained built-in backdoors for the shell’s creator. This meant that even if the initial attacker secured their access with a password, the original author could still gain entry using a secret “master key.” This highlights a history of the hacking community itself having a somewhat chaotic approach to security.

In one example, researchers observed a web shell constantly sending the login credentials (in plain text!) to a domain that watchTowr now controlled. The attacker believed they had secured their access, but the very tool they were using was betraying them.

One of the sites with a live Shell – This time it is a c99shell (Via watchTowr)

The report also highlights the vulnerability of government institutions, with compromised systems found in the Federal High Court of Nigeria and other government entities. The researchers emphasize that these findings demonstrate the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

Dangerous Situation

The watchTowr team warns that problems like this will persist, with consequences for software updates, cloud infrastructure, and SSLVPN appliances. The report also highlights that even attackers can make mistakes, as demonstrated by another research from researchers at vpnMentor. They identified high-profile groups, such as ShinyHunters and Nemesis, that exploited AWS buckets to steal over 2 terabytes of sensitive data. In the process, these groups inadvertently exposed their own S3 buckets.

The good news is that The Shadowserver Foundation has agreed to take ownership of the implicated domains and sinkhole them, preventing further exploitation. The watchTowr team’s research serves as a crucial reminder of the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

  1. 99% of UAE’s .ae Domains Exposed to Phishing and Spoofing
  2. Controller flaws let hackers physically damage moving bridges
  3. US and Europe Account for 73% of Global Exposed ICS Systems
  4. Thousands of Exposed ICSs in US and UK Threaten Water Supplies
  5. “Revolver Rabbit” Hacker Uses RDGA to Register 500,000 Domains





Source link