Malicious hackers have their own shadow IT problem | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/malicious-hackers-have-their-own-shadow-it-problem\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Malicious hackers have their own shadow IT problem\"> <meta property=\"og:description\" content=\"Researchers at watchTowr Labs found that abandoned and expired internet infrastructure left by hacking groups can function as backdoors within other backdoors.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/malicious-hackers-have-their-own-shadow-it-problem\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-08T20:40:44+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-08T20:44:50+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg\"> <meta property=\"og:image:width\" content=\"2135\"> <meta property=\"og:image:height\" content=\"1404\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736278014g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83077\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83077\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmalicious-hackers-have-their-own-shadow-it-problem%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmalicious-hackers-have-their-own-shadow-it-problem%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83077 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/malicious-hackers-have-their-own-shadow-it-problem\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.409929078014\">\n<div class=\"single-article__header-content\" readability=\"33.478260869565\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/malicious-hackers-have-their-own-shadow-it-problem\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Researchers at watchTowr Labs found that abandoned and expired internet infrastructure left by hacking groups can function as backdoors within other backdoors. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83077\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"421\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem.jpg?resize=640%2C421&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg 2135w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=300,197 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=768,505 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=1024,673 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=1536,1010 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=2048,1347 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=600,395 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=255,168 255w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=512,337 512w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=1026,675 1026w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-2.jpg?resize=1282,843 1282w\" sizes=\"(max-width: 1026px) 100vw, 1026px\"><figcaption> In a post published Wednesday, watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond said they have successfully identified entry points into thousands of live backdoors being used by hackers through the interconnected infrastructure they leave behind. (Image Source: Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"43.621342512909\"><body readability=\"87.829374697043\"><\/p>\n<p>Every chief information security officer worth their salt spends time thinking about the problem of shadow IT in their enterprise. Systems, hardware or infrastructure that might have been connected to your network years ago, for reasons no one can remember, were then summarily forgotten until years later when they become an entry point in a data breach or compromise.<\/p>\n<p>But new <a href=\"https:\/\/labs.watchtowr.com\/more-governments-backdoors-in-your-backdoors\/\">research<\/a> from watchTowr Labs suggests that this problem may not be restricted to the business world or defenders, and that the sloppy work left behind by malicious hacking groups can \u2014 with some creative thinking and a $20 domain purchase \u2014 be turned against them.<\/p>\n<p>In a post published Wednesday, watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond said they have successfully identified entry points into thousands of live backdoors being used by hackers through the interconnected infrastructure they leave behind.<\/p>\n<p>\u201cPut simply \u2014 we have been hijacking backdoors (that were reliant on now abandoned infrastructure and\/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in,\u201d Harris and Hammond wrote. \u201cThis hijacking allowed us to track compromised hosts as they \u2018reported in\u2019, and theoretically gave us the power to commandeer and control these compromised hosts.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In many cases, attackers leave behind old web shells containing snippets of code that could be used to identify and compromise newer, active web shells and domains being used in ongoing hacking campaigns. While those shells are usually password protected, Harris and Hammond said using the extract function allowed them to overwrite the hardcoded password with their own login credentials.<\/p>\n<p>The researchers then collected shells that referenced more than 40 different expired domains and purchased them, often for as low as $20 a pop, and \u201cpointed our shiny new domains at our logging server, which did nothing other than log incoming requests before responding with a 404.\u201d<\/p>\n<p>Among the victims spotted were government organizations in Bangladesh, China and Nigeria, as well as universities in China, Thailand and South Korea. All told, they claim to have access to 4,000 backdoors. The number of victims compromised through those backdoors is likely exponentially higher; a single backdoor seemingly left over from a prior Lazarus Group operation was connected to more than 3,900 unique compromised domains. <\/p>\n<p>Much of the attacker traffic captured by watchTowr appeared to come from Chinese and Hong Kong IP addresses and were directed at \u201cChinese targets,\u201d but the researchers stressed that this could be a product of the sample size they collected and that setting up proxy infrastructure in other countries is a common tactic for malicious hacking groups.<\/p>\n<p>Harris and Hammond stressed that they were careful not to cross the line into doing anything that could be considered illegal as part of their research, noting \u201cthese requests were coming to us, we didn\u2019t manipulate systems into communicating with us, and we certainly did not respond with code to be evaluated.\u201d They also obfuscated compromised hostnames and other technical details.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The domains purchased by watchTowr were handed over to the nonprofit Shadowserver Foundation, which turned them into a sinkhole.<\/p>\n<p>Harris and Hammond wrote that the project underscores \u201cthat as the Internet ages, and as we begin to truly understand the scope of impact for abandoned and expired infrastructure, we\u2019re likely to see problems like this continue.\u201d<\/p>\n<p>\u201cWe like to be semi-positive \u2026 it is somewhat encouraging to see that attackers make the same mistakes as defenders,\u201d Harris and Hammond wrote. \u201cIt\u2019s easy to slip into the mindset that attackers never slip up, but we saw evidence to the contrary \u2014 boxes with open web shells, expired domains, and the use of software that has been backdoored. Perhaps the playing field is more level than we thought.\u201d<\/p>\n<p>Perhaps attackers need to attend more Washington D.C. cybersecurity conferences for tips on properly managing their shadow IT. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7543186180422\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/malicious-hackers-have-their-own-shadow-it-problem-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/malicious-hackers-have-their-own-shadow-it-problem\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malicious hackers have their own shadow IT problem | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3376,78,420,3440],"tags":[3379,86,424,3441],"class_list":["post-6847","post","type-post","status-publish","format-standard","hentry","category-backdoors","category-cybersecurity","category-shadow-it","category-watchtowr-labs","tag-backdoors","tag-cybersecurity","tag-shadow-it","tag-watchtowr-labs"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/backdoors\/\" rel=\"category tag\">backdoors<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/shadow-it\/\" rel=\"category tag\">Shadow IT<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/watchtowr-labs\/\" rel=\"category tag\">watchTowr Labs<\/a>","tag_info":"watchTowr Labs","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6847"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6847\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6847,"date":"2025-01-08T14:40:44","date_gmt":"2025-01-08T20:40:44","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83077"},"modified":"2025-01-08T14:40:44","modified_gmt":"2025-01-08T20:40:44","slug":"malicious-hackers-have-their-own-shadow-it-problem","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/08\/malicious-hackers-have-their-own-shadow-it-problem\/","title":{"rendered":"Malicious hackers have their own shadow IT problem"},"content":{"rendered":"