Security firm WatchTowr Labs claimed to have reset the 4,000 compromised systems’ passwords by seizing control of domain names that were either not renewed or were simply left unused, all for $20 for every domain. This operation revealed challenges associated with traditional infrastructure to support attackers’ capability of taking over setups that rely on weak domain addresses.
The research undertaken jointly with the Shadowserver Foundation focuses on how infiltrators utilize web backdoors. Many command-and-control (C2) tools depend on expired or outdated domain names. Read on to learn more about the incursion and how to protect your company from similar threats.
A New Form of Attack: Expired Domain Hijacking
The cybersecurity company used an innovative strategy that is not overly complex. Many of the “loopholes” they focused on were initially used by hackers to get unauthorized remote access to victims’ networks. These infiltrators lost control when the domain names linked to their backdoors expired. WatchTowr Labs then took action by registering those expired domains.
Thanks to this hijack, the company could track the compromised hosts and even control them somehow, as WatchTowr Labs’ CEO Benjamin Harris and researcher Aliz Hammond found out. The team’s work showed that targets associated with government bodies in Bangladesh, China, and Nigeria and academic institutions in China, South Korea, and Thailand fell under attack.
The Backdoors: A Diverse Range of Threats
The web shells found during the process had different functionalities and coverage. Examples included c99shell and r57shell, which are very functional remote access tools employing an infiltrator to run any command or perform file operations, download or upload more malware, and delete credit. Another worth mentioning is the China Chopper, which is generally popular among the APT groups with connections to China.
WatchTowr Labs discovered that some people created weak spots and took advantage of them. In some cases, attackers identified these vulnerabilities, allowing others to control the same systems.
A Case of Oversight and Exploitation
WatchTowr Labs pointed out that attackers, like defenders, can make serious mistakes. In this instance, using expired domains, breaching compromised software, and exploiting an unpatched vulnerability in web shells created a significant security risk. The following examples highlight severe cases of neglect and misuse, showing apparent oversight.
One example of this common issue with expired domain names is when someone bought a domain linked to an old WHOIS server for just $20. Even after the domain changed hands, over 135000 systems continued to send data to it. This involved private businesses, government agencies, and military organizations in several countries, including the United States, Argentina, Bangladesh, and India.
How Malware Infects Devices
And how you can protect yourself
Malware is a serious threat hiding in the vastness of the Internet. It can enter your software in several ways. Here are some of the most common ways that trojans can access your system:
1. Spam Emails
Viruses are most frequently introduced through e-mail, which look like ordinary messages from other company employees. Online correspondence may include files with attached invoices, delivery receipts, or even notices of a tax refund. Such attachments usually contain malicious files, and once someone opens one, the program downloads hostile code onto the computer.
To protect yourself:
Do not respond to emails containing documents or links from unknown or suspicious people.
Always check who the sender is before you reply or open any annexes.
If you doubt whether a notification is authentic, type the website address directly into your browser instead of clicking on the web address in the body of the message.
2. Malicious Office Macros
When opening documents, it is possible to run into Microsoft Office files that contain macros – scripted instructions that automate operations. Not surprisingly, hackers seize this opportunity to generate risky content that harms devices. Sometimes, they look like warnings in a file you open, and they want you to turn on the attachment for additional features.
One typical scam involves receiving an email telling you that you have been charged for a service you did not sign up for and then asking you to open an Excel file to cancel this charge. If you run such macros, the virus can be downloaded.
To stay safe:
Viruses often hide in Office documents, so never run macros unless you know the source is valid.
The Office requires no user to open files that can cancel services or fix something.
3. Infected Removable Drives
The new variant can also spread through removable drives like USB flash drives or hard drives. When you insert an infected drive into your PC, the malware will tend to install itself automatically.
To avoid infection:
It is advisable not to connect any gadget, whether found or unfamiliar to you, using USB ports. Aggressors do this and can also employ it, mainly through a practice known as the USB drop attack.
If you need to connect an unknown device, run a security scan when you are done.
4. Other software
Malicious software might be hidden in other applications, most commonly from sources other than an official website or related to file-sharing networks. It can also include additional software that people may not want, like toolbars and adware from Microsoft.
To minimize risk:
Always obtain software directly from the vendor’s website.
Safely install software by paying close attention to the instructions to avoid being injected with unwanted content.
Install a reliable security suite, such as the popular Microsoft Defender Antivirus, to delete potentially dangerous software.
5. Web pages
One way malware can infect computer programs is through your web browser. There can be two situations: the page itself is malicious, and you have entered it, or the legitimate web page has been hacked. Hackers and other cybercriminals use such openings to insert ransomware into your system.
To protect yourself:
Update all software and web browsers to reduce risks of cyber threats.
To do this, consider using new browsers such as Microsoft Edge, which has security boosters and frequent updates.
Uninstall browsers nobody has used for a long time.
6. Other Malware Types
Some malware acts as downloaders, simply installing other threats on your system. This “payload” virus can be very dangerous. If it gets into a cycle of infections, each new peril can lead to even more malicious programs.
The only protection against this hazard is installing and frequently updating security software, such as Microsoft Defender Antivirus or a similar one.
The Cybersecurity Wake-Up Call
This situation is a wake-up call for companies with neglected, abandoned, and inactive domains to check their digital resources. Businesses have to be on the lookout and continue to study the domains that belong to them and uncover their susceptibilities. The accident shows that all states need help from each other in cybersecurity. WatchTowr Labs and the Shadowserver Foundation took control of many compromised computers by seizing certain domains. This illustrates the need for cooperation in defining APT and preventing future abuse.
In conclusion, the above-described case effectively marks how invaders can promptly obtain ownership of numerous violated systems through exposed pages and software. It is also an eye-opener for companies to stay on their toes when managing their offline brands and online assets and ensuring that organizations have adequate security measures to prevent future leaks.
