With the support of the Shadowserver Foundation, a nonprofit organization that specializes in collecting data on computer threats, security researchers at WatchTowr Labs have discovered more than 4,000 backdoors across the web. These hidden vulnerabilities were placed by cybercriminals on web servers, before being abandoned. They were no longer actively used, but they were still operational.
As a reminder, a backdoor is a malicious software installed on a website or server to provide clandestine access to cybercriminals. It allows them to execute commands remotely, steal data, or install other malware. In this case, the hackers used Internet domains to transmit instructions to the backdoors. These domains had expired.
Backdoors Dismantled
After discovering the flaws, the researchers decided to dismantle the entire infrastructure so that other hackers could use the backdoors. To do this, they bought all the domains left by the hackers. In fact, they were able to intercept the backdoor communications and take control of them. In concrete terms, the researchers were able to redirect all communications to secure servers.
From there, the experts at WatchTowr Labs were able to determine part of the list of victims of the cyberattack. According to them, the backdoors were deployed on web servers belonging to government agencies or universities around the world, particularly in Thailand, South Korea and China. Chinese courts and agencies have also been hacked.
Cybercriminals funded by governments
Everything suggests that the backdoors were implemented by cybercriminals funded by a government. One of the backdoors is also associated with Lazarus, one of the criminal groups mandated by North Korea. The hackers have specialized in the theft of cryptocurrencies over the last five years.
They are particularly known for having orchestrated the hack of Ronin Network in 2022, which resulted in the disappearance of $624 million in digital assets. According to WatchTowr Labs, the backdoor has likely been reused by other cybercriminals since Lazarus’ insertion:
The backdoors are believed to have been planted by a wide range of attackers, with varying levels of skill. Experts say more backdoors of this ilk can be expected to be discovered in the near future.
Source: WatchTowr Labs
0 Comments