Researchers at watchTowr Labs found that abandoned and expired internet infrastructure left by hacking groups can function as backdoors within other backdoors.
Every chief information security officer worth their salt spends time thinking about the problem of shadow IT in their enterprise. Systems, hardware or infrastructure that might have been connected to your network years ago, for reasons no one can remember, were then summarily forgotten until years later when they become an entry point in a data breach or compromise.
But new research from watchTowr Labs suggests that this problem may not be restricted to the business world or defenders, and that the sloppy work left behind by malicious hacking groups can — with some creative thinking and a $20 domain purchase — be turned against them.
In a post published Wednesday, watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond said they have successfully identified entry points into thousands of live backdoors being used by hackers through the interconnected infrastructure they leave behind.
“Put simply — we have been hijacking backdoors (that were reliant on now abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in,” Harris and Hammond wrote. “This hijacking allowed us to track compromised hosts as they ‘reported in’, and theoretically gave us the power to commandeer and control these compromised hosts.”
In many cases, attackers leave behind old web shells containing snippets of code that could be used to identify and compromise newer, active web shells and domains being used in ongoing hacking campaigns. While those shells are usually password protected, Harris and Hammond said using the extract function allowed them to overwrite the hardcoded password with their own login credentials.
The researchers then collected shells that referenced more than 40 different expired domains and purchased them, often for as low as $20 a pop, and “pointed our shiny new domains at our logging server, which did nothing other than log incoming requests before responding with a 404.”
Among the victims spotted were government organizations in Bangladesh, China and Nigeria, as well as universities in China, Thailand and South Korea. All told, they claim to have access to 4,000 backdoors. The number of victims compromised through those backdoors is likely exponentially higher; a single backdoor seemingly left over from a prior Lazarus Group operation was connected to more than 3,900 unique compromised domains.
Much of the attacker traffic captured by watchTowr appeared to come from Chinese and Hong Kong IP addresses and were directed at “Chinese targets,” but the researchers stressed that this could be a product of the sample size they collected and that setting up proxy infrastructure in other countries is a common tactic for malicious hacking groups.
Harris and Hammond stressed that they were careful not to cross the line into doing anything that could be considered illegal as part of their research, noting “these requests were coming to us, we didn’t manipulate systems into communicating with us, and we certainly did not respond with code to be evaluated.” They also obfuscated compromised hostnames and other technical details.
The domains purchased by watchTowr were handed over to the nonprofit Shadowserver Foundation, which turned them into a sinkhole.
Harris and Hammond wrote that the project underscores “that as the Internet ages, and as we begin to truly understand the scope of impact for abandoned and expired infrastructure, we’re likely to see problems like this continue.”
“We like to be semi-positive … it is somewhat encouraging to see that attackers make the same mistakes as defenders,” Harris and Hammond wrote. “It’s easy to slip into the mindset that attackers never slip up, but we saw evidence to the contrary — boxes with open web shells, expired domains, and the use of software that has been backdoored. Perhaps the playing field is more level than we thought.”
Perhaps attackers need to attend more Washington D.C. cybersecurity conferences for tips on properly managing their shadow IT.
