Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Backdoor vulnerabilities. Show all posts
watchTowr Labs
Backdoor vulnerabilities Compromised hosts Cyber Security cybersecurity research Expired domains Hacker mistakes Malicious infrastructure Shadow IT watchTowr Labs

Researchers Hijack Hacker Backdoors Through Abandoned Infrastructure

 

Shadow IT has long been a pressing concern for Chief Information Security Officers (CISOs). Forgotten systems, infrastructure, or hardware connected to enterprise networks often resurface as entry points for data breaches or compromises years later. However, new findings from watchTowr Labs reveal that this issue extends beyond enterprise networks, offering a unique opportunity to exploit the sloppy practices of malicious hackers themselves.

In a recent post, watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond unveiled their discovery of thousands of live backdoors used by hackers, accessed through abandoned infrastructure and expired domains.

“Put simply — we have been hijacking backdoors (that were reliant on now-abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in,” Harris and Hammond wrote.

Their method involved identifying and purchasing expired domains — often costing as little as $20 — linked to older web shells. By redirecting these domains to their logging server, the team tracked incoming traffic from compromised hosts.

Among the attackers’ missteps were unprotected or poorly secured web shells, many of which contained code that enabled researchers to overwrite hardcoded passwords with their own credentials. This allowed watchTowr Labs to monitor and document compromised hosts without illegal interference.

The researchers uncovered a vast network of backdoors, impacting thousands of victims worldwide. For instance, one backdoor tied to a previous Lazarus Group operation connected to over 3,900 unique compromised domains. Victims included government organizations in Bangladesh, China, and Nigeria, as well as universities across China, Thailand, and South Korea.

Interestingly, much of the attacker traffic appeared to originate from Chinese and Hong Kong IP addresses, targeting Chinese organizations. However, Harris and Hammond noted this could reflect their sample size and emphasized that hackers often use proxy infrastructure in other countries.

Throughout their research, watchTowr Labs took care to remain within legal boundaries. “These requests were coming to us, we didn’t manipulate systems into communicating with us, and we certainly did not respond with code to be evaluated,” the researchers clarified. The compromised domains were ultimately handed over to the nonprofit Shadowserver Foundation, which converted them into a sinkhole to prevent further misuse.

This project sheds light on the vulnerabilities stemming from abandoned and expired infrastructure. “As the Internet ages, and as we begin to truly understand the scope of impact for abandoned and expired infrastructure, we’re likely to see problems like this continue,” Harris and Hammond wrote.

Despite the serious implications, the findings also offer a silver lining. “It’s somewhat encouraging to see that attackers make the same mistakes as defenders,” the researchers noted, adding that vulnerabilities such as expired domains and unprotected web shells show attackers are not infallible.

The work by watchTowr Labs underscores the importance of vigilance in cybersecurity, highlighting that shadow IT — whether in enterprise environments or hacker operations — remains a critical issue. As Harris and Hammond humorously concluded, “Perhaps attackers need to attend more Washington D.C. cybersecurity conferences for tips on properly managing their shadow IT.”
Read more »
Subscribe to: Posts (Atom)