What are Backdoor Attacks and How Can You Defend Against Them?

Backdoor attacks are on the rise. In 2022, this relatively little known cyberattack vector overtook ransomware as the top action deployed by cybercriminals. According to the IBM Security X-Force Threat Intelligence Index 2023, nearly a quarter of cyber incidents involved backdoor attacks.

But what is a backdoor attack and how can you protect your organization from becoming a victim? Let’s explore this stealthy threat.

What is a backdoor attack?

Backdoor attacks occur when threat actors bypass a network's security controls and authentication procedures to access a system, application, and even encrypted data—by literally entering through the backdoor.

That backdoor is often created by developers who use it to troubleshoot software or perform other administrative tasks. However, attackers can also create backdoors. They do this by exploiting a weakness or vulnerability in a system, application, or software that is left unfixed or unpatched. For example, backdoors can be deployed via insecure access ports and IoT devices, or within vendor software updates (as was the case with SolarWinds in late 2020).

Backdoors can also be deployed as a result of human behavior, such as downloading a counterfeit software update or clicking on a phishing link or file.

What can a backdoor attack do?

Through a backdoor, attackers can gain unauthorized access or remote control of the network and move laterally to take over other systems, applications, and databases.

This increases the attack surface, exposing more critical assets and data to potential exfiltration or setting the scene for denial of service attacks, fraudulent financial transactions, and more.

While ransomware attacks are becoming easier to detect (average detection time for ransomware has decreased from two months to less than four days), backdoor malware can lurk undetected on a network for weeks.The hidden nature of the attack lets malicious actors go undetected for a dangerous amount of time. Even when vulnerabilities are detected it’s hard to know where they end.

Examples of backdoor attacks

Backdoor attacks occur more often than many security managers believe. Examples of recent high profile backdoor attacks include:

SolarWinds

In addition to being one of the biggest supply chain cyber attacks ever, the 2020 SolarWinds hack is a notable example of a backdoor attack. During the attack, nation state actors embedded malware in software updates of the widely-used SolarWinds Orion platform. More than 18,000 organizations, including government agencies, installed the update, giving adversaries backdoor access to sensitive data for months, if not years.

Microsoft Exchange

In 2021, vulnerabilities in Microsoft Exchange were exploited by attackers to spread ransomware through backdoor attacks on customer’s Exchange servers.

Bitsight analysis showed that thousands of organizations were exploited as a result. Fortunately many moved quickly to patch vulnerable systems. Yet in the weeks following the discovery, Bitsight observed that 20 percent of Exchange Servers (65,000 servers) remained vulnerable and four percent (14,000+ servers) still presented as compromised by the backdoor attack vulnerability. These findings implied that security administrators had yet to perform incident response.

WordPress

Millions of organizations rely on WordPress for website creation and management, including the Walt Disney Company, Microsoft News, BBC America, and more. In March 2021, WordPress announced that the script language PHP, used to create all their domains, had been hit with a backdoor attack. During the attack, cybercriminals inserted a remote code into an edit of the PHP script. When added to a website’s language in a minor update, the code potentially opened the door for attackers to take over any PHP website remotely.

WordPress has experienced many backdoor attacks over the years. These have been mainly due to the frequent updates pushed to WordPress networks, the acceptance of plugins and extensions by the host organization, and the lack of firewall protection from the WordPress network.

How to detect and prevent backdoor attacks

With automated technology to support your cyber risk program, as well as consistent maintenance of vulnerability management best practices with your team and vendors, you can reduce the risk of backdoor attacks. Consider the following best practices:

1. Create a culture of cyber awareness

Backdoor attacks often target individual employees with phishing emails, suggested plug-in or software downloads, and other techniques potentially preventable with the right training.

Raise awareness of backdoor attacks through cybersecurity training—at all levels of the organization, including the C-suite. Creating a culture of cyber awareness can help ensure your team is taking every step they can to protect your network and, in turn, your reputation and business performance.

2. Understand your attack surface

To defend against backdoor attacks, you need a firm grasp of what your attack surface looks like, what the biggest threats are, and how they can be remediated.

Attack surface monitoring can help you visualize your entire digital footprint—from the cloud to the edge, and even across third parties. With complete visibility into every digital asset, device (including IoT), cloud instance, vendor, business unit, and geography; you can more easily assess them for risk and prioritize resource allocation to better remediate risk exposure.

For example, if a subsidiary exhibits a high incidence of unpatched systems you can quickly identify each asset, visualize whether the risk is critical or excessive, and prioritize remediation accordingly.

3. Continuously monitor to gain a complete picture of risk

Relying on point-in-time assessments and penetration tests can allow backdoor attacks to sneak into your network that might not reveal themselves for weeks, months, or even years.

With network scanning and continuous monitoring technology, you can stop worrying if you are properly protected against backdoor attacks. You’re alerted the moment a backdoor vulnerability is detected, such as an unpatched system or open port.

You can also extend the same visibility to your supply chain. Rather than rely on self-reported security questionnaires, take steps to continuously monitor your third and fourth parties for any changes in their security postures or emerging vulnerabilities. Identifying the signs of a backdoor deployment without waiting for a vendor to notify you can drive proactive and rapid remediation on their part, and will give you a full view of where the risks live in your network.

4. Have an action plan when problems arise

It’s not enough to monitor for risky areas or indicators of a backdoor attack. You need to establish remediation strategies.

Create an incident response plan that includes stakeholders from various business disciplines. The quicker you work to combat the areas of risk in your network, the less time threat actors have to further exploit your systems.

Extend the same preparedness to your vendors. Including an agreed upon strategy in your vendor contracts is a great way to proactively handle future threats.

Prevent and detect backdoor attacks with Bitsight

As backdoor attacks continue to rise, managing your cyber risk exposure must be a top priority. Bitsight’s integrated solutions for exposure management can help.

With Bitsight, you can achieve complete visibility into risk exposure, continuously measure security effectiveness, and perform proactive remediation actions—before a backdoor is deployed.

Bitsight also extends that same visibility to your supply chain, so you can reduce third- and fourth-party cyber exposure quickly and confidently.