- Researchers found thousands of forgotten, but active, web backdoors
- They gained access by purchasing expired domains
- All of the backdoors are being sinkholed
Experts recently uncovered more than 4,000 web backdoors which their operators seem to have forgotten, but which they managed to seize and sinkhole them, effectively preventing them from being abused by other threat actors in the future.
Two researchers from watchTowr, CEO Benjamin Harris, and researcher Aliz Hammond, said they discovered thousands of expired domains that were used to command the web backdoors.
watchTowr’s researchers set up a logging system, which showed that the malware was still active, despite not being in use. It was sending requests that helped the researchers identify some of the victims. They also identified a few of the backdoors used, including the r57shell, c99shell, and one called “China Chopper”.
China under assault
Some of the backdoors were deployed on web servers belonging to government agencies, universities, and other similar high-profile targets. Victims were located all over the world, including China, Thailand, and South Korea. In fact, a number of Chinese government systems and courts were said to have been compromised, as well as systems in Nigeria and Bangladesh.
The backdoors appear to be a mix of legitimate APT-level tools and other, less sophisticated implementations, leading the researchers to speculate that multiple threat actors, of different skill levels, were involved. The source IPs also pointed to heavy usage by attackers from regions like Hong Kong and China, though these could also be proxies and not definitive evidence of attribution.
The researchers also suggested at least some of the backdoors were originally associated with the dreaded Lazarus Group, but stressed that in this case, they were likely repurposed by other attackers. Lazarus is one of the most dangerous North Korean state-sponsored threat actors, actively engaged in industrial espionage, identity theft, wire fraud, and more.
At press time, the number of discovered web backdoors was 4,000, with the researchers adding that this was not definitive and that the actual number of compromised systems was likely much larger.
Via BleepingComputer