Cybersecurity firm WatchTowr Labs has discovered an innovative approach to monitoring malicious hacking activities by leveraging obsolete systems left by attackers. This technique not only sheds light on persistent vulnerabilities within shadow IT but also offers a potential tool for enhancing network security. By repurposing forgotten infrastructure, the research opens new avenues for understanding and mitigating cyber threats.
Efforts to trace hacker activities have traditionally relied on sophisticated detection tools and real-time monitoring. WatchTowr Labs’ method, however, utilizes abandoned domains and outdated infrastructure, offering a complementary strategy that targets remnants of previous malicious operations. This approach may enhance existing cybersecurity frameworks by broadening the scope of threat tracking beyond active vulnerabilities.
How Did Researchers Identify the Backdoors?
The team at WatchTowr Labs, led by CEO Benjamin Harris and researcher Aliz Hammond, identified entry points by analyzing old web shells and expired domains used by malicious groups. They managed to overwrite hardcoded passwords in these shells using the extract function, granting them access to the compromised systems. By purchasing expired domains, often costing as little as $20, they redirected these domains to their logging servers, capturing incoming requests and tracking compromised hosts.
What Impact Does This Have on Cyber Defenses?
“Put simply — we have been hijacking backdoors… and theoretically gave us the power to commandeer and control these compromised hosts,”
Harris and Hammond explained. This capability allows cybersecurity professionals to monitor and potentially disrupt ongoing hacking campaigns. By taking control of these backdoors, defenders can gain valuable intelligence on attacker behaviors and methods, thereby strengthening overall cyber defense strategies.
Who Are the Primary Targets Affected?
The research revealed that various government organizations and educational institutions across countries like Bangladesh, China, Nigeria, Thailand, and South Korea were among the affected targets. The compromised backdoors connected to thousands of unique domains, indicating a widespread impact. The concentration of traffic from specific regions suggests that certain areas are more heavily targeted by these persistent hacking groups.
The researchers ensured their methods remained within legal boundaries by not manipulating systems beyond logging incoming requests and responding minimally. The acquired domains were later handed over to the Shadowserver Foundation to act as sinkholes, preventing further exploitation. This project highlights the ongoing challenges related to managing outdated infrastructure and underscores the importance of maintaining robust cybersecurity practices.
