Hello and welcome to the Thursday, January 9th, 2025 edition of the Sandus Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Let's start today with some domain dumpster diving watchtower.

Did interesting research where what it did is they registered

expired domains.

Now, this in itself is new, has been done off in order to sort of go after some abandoned

infrastructure that Enterprise have set up that is still trusted in some ways.

In this case, however, Watchtower took a little bit a different approach.

Instead of looking at abandoned infrastructure of enterprises, they looked at abandoned infrastructure

of attackers. Attackers often set up domains that are then being used by hijacked systems to connect to command and control servers.

Well, they then forget about them or are no longer interested in them and as a result are abandoning those domains.

Watchtower now set up their own web server on some of these abandoned domains. They basically just

re-registered them. And surprise, they actually immediately got access to thousands of compromised

systems that were calling back to connect to a command control system. or in the case that Watchtower in particular

focused on, they looked at backdoors that attackers installed, where the backdoor itself

was backdoored. And the way you backdoor a backdoor is that you add some script that by saying

notifies the attacker on a particular web address

that, well, a new system was infected with this backdoor.

So they had these infected systems that had backdoors installed on them,

call back to the abandoned and now re-registered domain,

and identified various companies, government agencies worldwide that were affected by these fairly well-known backdoors. These are not

back doors that are hard to find by any means. These are very well-known backdoors. Simple signature-based

...