Malicious hackers may have their own shadow IT problem, according to a recent discovery by watchTowr Labs. CEO Benjamin Harris and researcher Aliz Hammond revealed they successfully identified entry points into thousands of live backdoors used by hackers through the interconnected infrastructure they leave behind. The researchers hijacked backdoors reliant on abandoned infrastructure or expired domains.
This allowed them to track compromised hosts as they reported in and potentially commandeer and control these hosts. Attackers often leave behind old web shells containing code snippets that could be used to identify and compromise newer, active web shells and domains in ongoing hacking campaigns. While these shells are usually password protected, the researchers used the extract function to overwrite the hardcoded password with their own login credentials.
Harris and Hammond purchased and pointed these expired domains at their logging server, which only logged incoming requests before responding with a 404 error. Among the victims spotted were government organizations in Bangladesh, China, and Nigeria, as well as universities in China, Thailand, and South Korea. The researchers claim to have access to 4,000 backdoors, with the number of victims compromised through those backdoors likely exponentially higher.
A single backdoor seemingly left over from a prior Lazarus Group operation was connected to more than 3,900 unique compromised domains.
Hijacking backdoors via expired domains
Much of the attacker traffic captured by watchTowr appeared to come from Chinese and Hong Kong IP addresses and were directed at Chinese targets.
However, the researchers noted this could reflect the sample size they collected and that setting up proxy infrastructure in other countries is a common tactic for malicious hacking groups. Harris and Hammond emphasized they were careful not to cross any legal lines during their research. They did not manipulate systems into communicating with them or respond with code to be evaluated.
They also obfuscated compromised hostnames and other technical details. The domains purchased by watchTowr were handed over to the nonprofit Shadowserver Foundation, which turned them into a sinkhole. The researchers concluded that as the Internet ages and we begin to fully grasp the impact of abandoned and expired infrastructure, issues like these are likely to persist.
“It is somewhat encouraging to see that attackers make the same mistakes as defenders,” Harris and Hammond wrote. “It’s easy to slip into the mindset that attackers are infallible, but we saw evidence to the contrary — boxes with open web shells, expired domains, and backdoored software. Perhaps the playing field is more level than we thought.”
