this post was submitted on 14 Jan 2025
43 points (89.1% liked)

Technology

60651 readers
4426 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
43
Backdooring Your Backdoors - Another $20 Domain, More Governments (labs.watchtowr.com)
submitted 1 week ago by exu@feditown.com to c/technology@lemmy.world
3 comments fedilink hide all child comments
 

cross-posted from: https://feditown.com/post/974805

top 3 comments
sorted by: hot top controversial new old
[–] Akasazh@feddit.nl 4 points 6 days ago (1 children)

Does somebody care to eli5 this for me (and others like me).

I feel like I'm lacking context. How important is the find they did. What are groups like Lazarus (I tried giving that link, but it's dead). What was their .mobi thing they assume we know about in the intro.

[–] exu@feditown.com 4 points 6 days ago (1 children)

The .mobi was a previous post where they bought the expired domain which was previously used by the .mobi WHOIS server.
A bunch of systems apparently didn't update their WHOIS database and still tried to get WHOIS information from the old domain.
This could lead to RCE in some implementations if they provided a malicious response.
A bunch of CAs also accessed the old domain and use WHOIS to verify domain ownership. By setting their own email address for verification, they could have issued themselves a certificate for any .mobi domain (microsoft.mobi, google.mobi for examle).

Now to this article, here they looked at a bunch of webshells with backdoors added by the developers. Some of the domains had expired, so by getting those domains and setting up a webserver they got connections from different systems infected by the malware. They could have used the same backdoor previously used by the devs to access those same systems remotely and do whatever.

[–] Akasazh@feddit.nl 1 points 6 days ago

Thanks mate!