With support from the Shadowserver Foundation, a nonprofit organization specializing in data collection on computer threats, security researchers at WatchTowr Labs discovered plus the 4,000 backdoors (or back doors in French) across the web. These hidden vulnerabilities were placed by cybercriminals on web servers, before being abandoned. They were no longer actively used, but they were still operational.
For the record, a backdoor is malware installed on a website or server to offer clandestine access to cybercriminals. It allows you to execute commands remotely, steal data or install other malware. In this case, the hackers used Internet domains to pass instructions to the backdoors. These domains had expired.
Also read: Chinese hackers allegedly spied on the United States using backdoors set up for legal wiretapping
Backdoors dismantled
After discovering the flaws, the researchers made the decision to dismantle the entire infrastructure so that other hackers do not use the backdoors. To achieve this, they bought back all the domains left by the pirates. De facto, they were able to intercept backdoor communications and take control of them. Concretely, the researchers were able to redirect all communications to secure servers.
“We took control of backdoors (based on now-abandoned infrastructure or expired domains) that were themselves embedded within other backdoors”explains the report from WatchTowr Labs researchers.
From there, WatchTowr Labs experts were able to determine part of the list of victims of the cyberattack. According to them, the backdoors were notably deployed on web servers belonging to government agencies or universities around the world, particularly in Thailand, South Korea and China. Chinese courts and agencies have also been hacked.
Also read: A “nightmare” data leak is underway – the location of millions of smartphones has been compromised
Cybercriminals funded by governments
Everything suggests that the backdoors were implemented by government-funded cybercriminals. One of the backdoors is also associated with Lazarusone of the criminal groups mandated by North Korea. Hackers have specialized in stealing cryptocurrencies over the past five years.
They are particularly known for orchestrating the Ronin Network hack in 2022, which resulted in the disappearance of $624 million in digital assets. According to WatchTowr Labs, the backdoor has likely been reused by other cybercriminals since Lazarus inserted it:
“It’s unlikely we caught Lazarus in action, given the target profile. However, we are likely to see other attackers reusing tools developed by Lazarus for their own purposes.”
Everything suggests that the backdoors were placed by a wide range of pirateswith varying skill levels. According to experts, we can expect more backdoors of this ilk to be discovered in the near future.
???? To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
WatchTowr Labs
