More than 4,000 unique web shells are exploiting expired domains and abandoned infrastructure, many of which are linked to servers belonging to government agencies and universities. These systems become vulnerable to takeover by cybercriminals whose objectives starkly diverge from the research intentions of cybersecurity experts.
The watchTowr Labs team, as part of a recent study, uncovered significant risks associated with neglected domains and infrastructure. Their report meticulously details how malicious actors can leverage existing backdoors to gain system access without expending effort on discovering and compromising new targets.
Benjamin Harris, CEO of watchTowr, described this approach as akin to “mass hacking on autopilot.” Threat actors exploit expired domains tied to web shells to “reap the rewards” of others’ work, allowing them to achieve the same level of access to compromised systems as the original creators of these tools.
The cost of such access is minimal—approximately $20 per domain. During their experiment, watchTowr registered over 40 abandoned domains previously used by web shells. Analyzing requests to these domains revealed numerous vulnerable systems, including servers operated by the governments of Bangladesh, China, and Nigeria, as well as universities in Thailand, China, and South Korea.
Among the most notable examples was the server of Nigeria’s Federal High Court, which was tied to four different web shells. Researchers identified over 4,000 compromised systems, with the number continuing to grow.
Of particular interest was the practice of “backdooring backdoors.” Some widely used web shells, such as c99shell, r57shell, and China Chopper, inherently include hidden functionalities that enable their creators to access systems compromised by other threat actors.
To prevent further misuse of these abandoned domains, the watchTowr team transferred them to the ShadowServer Foundation. This ensures they are employed solely for the secure monitoring of activity.
Researchers highlighted that real-time log monitoring provided a rare glimpse into the “behind-the-scenes” operations of internet activity. The data collected offers valuable insights into how criminals exploit abandoned infrastructure and aids in enhancing defensive strategies.
