Sign in Subscribe
Other

Over 4,000 backdoors hijacked by registering expired domains

Over 4,000 backdoors hijacked by registering expired domains

Latest News on Backdoor Exploits and Expired Domain Hijacking

1. Exploiting Abandoned and Expired Infrastructure:
A recent research study has highlighted the exploitation of abandoned and expired infrastructure to gain access to thousands of systems. The study, which has been ongoing for some time, has identified over 4,000 unique and live backdoors across various compromised entities, including multiple governments (Bangladesh, China, Nigeria), universities, and higher education institutions in several countries1.

2. Hijacking Backdoors:
The research involves hijacking backdoors that rely on now-abandoned infrastructure or expired domains. This allows the researchers to track compromised hosts and potentially commandeer and control these hosts. The study notes that this vulnerability class is "hugely underrated" and can be exploited with minimal cost, such as registering $20 domain names1.

3. Security Risks of Expired Domain Hijacking:
Expired domain hijacking poses significant security risks. When a domain expires, it can be easily hijacked by attackers, who then use it to deploy web shells or other malicious tools. For instance, a line of CSS code specifying a background image from a compromised server can leak the URL of the newly-deployed web shell to the attackers, notifying them of successful deployment1.

4. Impact on Cybersecurity:
The exploitation of backdoors and expired domains can lead to severe cybersecurity breaches. These vulnerabilities can result in information theft, session hijacking, and other forms of client-side exploitation. The study emphasizes that this is a prolific tool, with over 3,900 unique compromised domains identified from a single backdoor alone1.

Additional Security Risks

  • CVE-2024-12252: The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action. This vulnerability allows unauthenticated attackers to overwrite files, potentially leading to remote code execution2.

  • CVE-2025-22275: iTerm2 versions 3.5.6 through 3.5.10 allow remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file, which can occur during remote logins with certain SSH Integration configurations2.

  • CVE-2024-56278: Smackcoders WP Ultimate Exporter has an improper control of code generation ('Code Injection') vulnerability, allowing PHP Remote File Inclusion. This affects versions from n/a through 2.9.12.

  • CVE-2024-55555: Invoice Ninja before version 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by default APP_KEY values in .env files2.

Conclusion

The exploitation of abandoned and expired infrastructure, particularly through backdoor hijacking, represents a significant and often overlooked vulnerability in cybersecurity. The ability to commandeer and control compromised hosts with minimal cost highlights the need for continuous monitoring and maintenance of digital assets. Additionally, the identified CVEs in various plugins and software underscore the importance of regular updates and security patches to mitigate these risks.

Read next