Full Report
Researchers at watchTowr Labs found that abandoned and expired internet infrastructure left by hacking groups can function as backdoors within other backdoors. The post Malicious hackers have their own shadow IT problem appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Unspecified Hacking Groups (Referred to generally in the context of legacy exploitation)
## Attribution & Identity
The report focuses on exploitation techniques derived from abandoned or mismanaged infrastructure left behind by various unspecified hacking groups, including one operation linked to the **Lazarus Group**. The research highlights a universal "shadow IT" problem among malicious actors, not a single named APT.
## Activity Summary
WatchTowr Labs researchers identified thousands of live backdoors being used by hackers that relied on legacy, abandoned infrastructure or expired domains. By purchasing these expired domains (often for as low as $20), researchers were able to hijack the connectivity and monitor/theoretically control compromised hosts reporting to these old command-and-control points.
## Tactics, Techniques & Procedures
- **Infrastructure Hijacking:** Purchasing expired domains previously hardcoded into backdoors/web shells to redirect traffic.
- **Web Shell Exploitation:** Exploiting hardcoded components within old web shells, specifically using the `extract` function to overwrite hardcoded passwords with the researchers' own credentials.
- **Backdoor Chaining:** Leveraging old, forgotten infrastructure (abandoned backdoors) as entry points into newer, active malware campaigns ("backdoors within backdoors").
- **TTPs Implied (Lazarus Group):** A single exploited backdoor suggesting a prior operation by Lazarus Group was linked to over 3,900 unique compromised domains.
## Targeting
- **Sectors:** Government organizations and universities.
- **Geography:** Victims identified in Bangladesh, China, Nigeria, Thailand, and South Korea.
- **Victims:** Thousands of compromised hosts across multiple government and academic networks.
## Tools & Infrastructure
- **Malware Families Used:** Old web shells containing code snippets referencing expired domains.
- **Infrastructure (C2, domains, IPs):** Traffic captured appeared to originate predominantly from **Chinese and Hong Kong IP addresses** directed at Chinese targets, though researchers caution this may be biased by the sample collected. Over 40 different expired domains were purchased and pointed at the researchers' logging servers.
## Implications
The findings reveal that malicious hacking groups suffer from a form of "shadow IT," leaving behind accessible, exploitable legacy infrastructure. This allows external parties (like security researchers) to gain visibility into ongoing, active backdoor networks—including thousands of compromised hosts—potentially allowing for the commandeering of these entry points. This sloppy infrastructure management presents a significant, self-inflicted risk to persistent threat actors.
## Mitigations
- **Infrastructure Hygiene:** Threat actors must implement regular audits and decommissioning processes for their Command and Control (C2) infrastructure and deployed backdoors to prevent leakage or hijacking.
- **Password Management:** Avoid hardcoding credentials within deployable artifacts like web shells.
- **Monitoring Expired Domains:** Organizations or researchers tracking specific threat actors should monitor for domain registrations corresponding to known threat infrastructure patterns, as these can serve as indicators of compromise or operational insight.