Cyber security news for all

More

    Expired Domains Exploited to Command Over 4,000 Breached Systems

    A staggering 4,000 distinct web backdoors, initially deployed by an array of cyber adversaries, have been subverted by seizing control of lapsed and abandoned domains—some acquired for as little as $20 apiece.

    Cybersecurity firm watchTowr Labs orchestrated this feat by registering over 40 domain names that these backdoors relied upon for command-and-control (C2) communications. In collaboration with the Shadowserver Foundation, these domains have been “sinkholed” to neutralize their functionality.

    “We commandeered backdoors dependent on now-defunct infrastructure and expired domains, observing compromised systems flooding in as they ‘checked back,’” explained watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond in a detailed technical disclosure last week. “This approach granted us the theoretical capability to take control of these compromised systems.”

    The affected systems, as revealed through beaconing patterns, include governmental entities from Bangladesh, China, and Nigeria, alongside academic institutions scattered across China, South Korea, and Thailand.

    Multifaceted Web Shells in Use

    These backdoors—primarily web shells designed for sustained remote access to compromised networks—display a range of capabilities and complexity, such as:

    • Basic PHP-driven web shells enabling the execution of attacker-supplied commands.
    • c99shell and r57shell, robust frameworks capable of arbitrary code execution, file manipulation, deployment of secondary payloads, brute-forcing FTP credentials, and self-eradication from infiltrated systems.
    • China Chopper, a lightweight yet potent tool frequently linked to China-based advanced persistent threat (APT) groups.

    Interestingly, watchTowr Labs identified scenarios where these web shells themselves harbored backdoors introduced by their script developers. This secondary compromise inadvertently exposed critical information about deployment locations, granting additional attackers unauthorized access.

    Echoes of an Earlier Discovery

    This development mirrors an earlier revelation by watchTowr Labs, where the team acquired an obsolete WHOIS server domain linked to the .mobi top-level domain (TLD) for a mere $20. Their findings uncovered more than 135,000 systems still communicating with the legacy server, despite its migration to a newer infrastructure.

    The affected systems spanned private enterprises (including VirusTotal) and email servers belonging to governmental, military, and academic institutions worldwide. Impacted .gov addresses originated from countries such as Argentina, Bangladesh, Bhutan, Ethiopia, India, Indonesia, Israel, Pakistan, the Philippines, Ukraine, and the United States.

    Lessons from Attackers’ Oversights

    “Witnessing adversaries fall prey to their own missteps offers a peculiar form of solace,” watchTowr Labs remarked. “While defenders often assume attackers operate flawlessly, we observed clear evidence to the contrary—such as outdated web shells, expired domains, and compromised tools unwittingly backdoored.”

    This operation underscores a paradoxical vulnerability in cyber threat actors’ methodologies, demonstrating how negligence and oversight can undermine even the most malicious campaigns.

    Recent Articles

    Related Stories