BATH, UK – More than 4,000 web backdoors that had been abandoned but were still active with live malware were hijacked and their communication infrastructure sinkholed – a term used to describe the process of redirecting malicious traffic to a DNS sinkhole – after web security researchers registered numerous expired domains, preventing them from being used by hackers and cybercriminals.
A backdoor is a covert method of bypassing normal authentication or encryption in a computer, most often used for seizing remote control of a network to gain access to sensitive information such as passwords, to corrupt or delete data on hard drives, or carry out attacks such as delivering malware.
Some of these backdoors were on web servers of well-known and noteworthy entities and organizations – such as the systems of governments and universities – and were ready and waiting to be used for attacks by any threat actors who may have had access to them.
WatchTowr Labs – a group that specializes in offensive security expertise and research – in conjunction with The Shadowserver Foundation – nonprofit internet security organization – acted preemptively to prevent the backdoors in these expired domains from falling into the wrong hands.
Researchers at WatchTowr Labs started an effort to seek out and identify expired domains that could possess backdoors; when these were discovered, the group would register the domains and take control of the backdoor. From there, they would examine the still active malware in an attempt to identify who may have been victimized by it.
WatchTowr registered over 40 domains, and in the process uncovered more than 4,000 systems that had been compromised, including governmental networks in China, Nigeria, Bangladesh, Thailand, and South Korea. These domains were then turned over to The Shadowserver Foundation to manage and sinkhole to prevent them from being used for malicious purposes in the future.
Email Vulnerabilities from Expired Domains
It’s important to recognize that expired domain names pose risks beyond web backdoors. Even old email addresses once in use with these domains can be exploited to create various security vulnerabilities. Cybercriminals can use abandoned email accounts to gain access to old or inactive accounts simply by recreating the old address, potentially leading to unauthorized access to sensitive information, password resets, and/or phishing attacks.
About The Author: John Colascione is Chief Executive Officer of Internet Marketing Services Inc. He specializes in Website Monetization, is a Google AdWords Certified Professional, authored a ‘how to’ book called ”Mastering Your Website‘, and is a key player in several Internet related businesses through his search engine strategy brand Searchen Networks®
Leave a Reply