Hijacking Expired Domains: Gaining Control of Thousands of Compromised Systems
Over 4,000 unique backdoors have been found. These backdoors rely on expired or abandoned internet domains for communication, making them vulnerable to hijacking. Many of these backdoors are located on systems belonging to governments and academic institutions, making these organisations particularly vulnerable to cyberattacks. However, those domains expire or are abandoned, but anyone can buy them, often for as little as $20.
Security researchers discovered these vulnerabilities; the concern is that cybercriminals can exploit them maliciously. These criminals may use the hijacked backdoors to steal data, disrupt services, or launch further attacks.
The cybersecurity company WatchTowr Labs took proactive action to prevent further exploitation of the hijacked backdoors. They did this by purchasing over 40 domain names that the backdoors were programmed to connect to for command-and-control (C2)—the system attackers use to send instructions to malware or backdoors on compromised systems.
By controlling these domains, watchTowr Labs effectively intercepted the communication between the backdoors and the attackers.
In collaboration with the Shadowserver Foundation, these domains were sinkholed. This allows cybersecurity teams to block harmful actions and monitor where the compromised systems are located, helping to prevent further damage and aiding in identifying affected systems.
WatchTowr Labs took control of hidden backdoors embedded within other backdoors. These inner backdoors were still trying to connect to abandoned or expired domains for instructions. By hijacking these domains, WatchTowr Labs intercepted the communication and observed much data from compromised systems attempting to reach those servers.
By hijacking the abandoned domains, watchTowr Labs could monitor infected systems as they automatically connected back to receive commands. Thus, they could control these compromised systems, just like attackers could.
The infected system servers belong to government agencies in Bangladesh, China, Nigeria and academic institutions in China, South Korea, Thailand, and other countries.
The backdoors are web shells- malicious scripts that provide attackers remote access to compromised networks for further exploitation. The web shells range from simple PHP scripts that execute attacker-provided commands to more advanced tools like c99shell and r57shell, which offer extensive control over a server. China Chopper, commonly used by China-linked advanced persistent threat (APT) groups, allow attackers to maintain long-term access and carry out complex operations on targeted systems.
c99shell and r57shell have features to execute arbitrary code or commands, deploy additional commands, perform file operations, brute-force FTP servers, and remote themselves from compromised hosts.
watchTowr Labs discovered that some web shells are scripted to find the locations of the deployed web shells, unintentionally allowing other hackers to see and take control of them. This means that even the original attackers unknowingly exposed their tools to rival threat actors.
watchTowr Labs spent just $20 to purchase an old WHOIS server domain linked to the .mobi top-level domain (TLD). Despite the server migrating to a new domain, over 135,000 systems were still unknowingly using an outdated server. These systems included private companies like VirusTotal and email servers for numerous government, military, and university organisations.
watchTowr Labs noted that attackers make mistakes, too, much like defenders. They observed evidence of this through vulnerable systems with open web shells, expired domains, and the use of already backdoored software, challenging the perception that attackers are always flawless.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.