The emergence of cybercrime-as-a-service (RaaS) has lowered the entry barrier into cybercrime by permitting cybercriminals to focus on just one facet of the assault provide chain.
This may be coding malware, creating phishing kits, crafting preliminary entry strategies, releasing vulnerability exploits, or sharing information dumps itemizing potential victims.
Nonetheless, on the finish of the chain, the piece of malware have to be despatched from someplace. That’s why bulletproof internet hosting (BPH) has turn out to be a crucial infrastructure service in cybercrime.
What’s Bulletproof Internet hosting?
Bulletproof internet hosting is a service supplied by an web internet hosting operator, often positioned in lenient jurisdictions or nations the place legislation enforcement has poor assets, that serves all forms of exercise, together with unlawful ones.
BPH suppliers can permit on-line playing, unlawful pornography, botnet command and management servers, spam, copyrighted supplies, hate speech and misinformation.
In response to cyber risk intelligence agency Intel471, many BHP suppliers “comprise a murky chain of unresponsive shell corporations with false registration data.”
Whereas most web service suppliers (ISPs) would collaborate with legislation enforcement when their providers have been discovered to assist legal actions, BPH suppliers “use a wide range of complicated technical preparations to make takedown and abuse requests troublesome,” Intel471 defined in a January 22 weblog put up.
“This could contain shopping for IP handle ranges from different nefarious bulletproof suppliers, utilizing fast-flux internet hosting and routing malicious site visitors by means of ever-shifting proxy and gateway servers in different areas,” Intel471 defined.
Some BPH suppliers permit sure low-level unlawful actions however not legal behaviors to keep away from triggering legislation enforcement motion.
Three Prolific BPH suppliers: yalishanda, PQ Host and ccweb
A number of fashionable BPH providers are run by risk actors.
Intel471 described three providers owned by risk actors yalishanda, pqhosting and ccweb.
yalishanda
The yalishanda risk actor is likely one of the most prolific BPH suppliers within the underground our on-line world, in response to Intel471.
It provides an ever-changing reverse proxy community, which has been related to the Snatch Crew information extortion and ransomware group, the defunct GandCrab ransomware, Smokeloader malware, phishing assaults and malware distribution.
The risk intelligence agency mentioned the risk actor’s actual identify is Alexander Alexandrovich Volosovik, a Russian nationwide working out of Russia having beforehand labored in Beijing.
PQ Host
Excellent High quality Hostin (aka PQ Internet hosting, beforehand MoreneHost) has a transparent web site that gives “tremendous servers” within the Netherlands. It seems as a legit internet hosting supplier, however a few of its infrastructure has been linked to malicious exercise, Intel471 mentioned.
PQ Internet hosting has hosted notorious ransomware resembling FiveHands (aka HelloKitty) and DarkSide, which contaminated the US vitality firm Colonial Pipeline in 2021 and resulted within the shutdown of its crucial vitality pipeline as a precaution.
Learn extra: Colonial Pipeline Attackers Linked to Notorious REvil Group
ccweb
The ccweb risk actor is one other prolific BPH supplier for the cybercriminal world. Its infrastructure, which capabilities like a content material supply community (CDN) relatively than a internet hosting supplier, traces to ISPs in Saudi Arabia, Mexico and the Dominican Republic.
“The actor additionally provides quick flux on contaminated computer systems in areas together with Asia, Africa and the Center East, making it troublesome to dam content material served as a consequence of altering IP addresses,” Intel471 wrote.
The risk actor’s providers have been linked to many ransomware variants, together with Unhealthy Rabbit, GandCrab, LockBit 2.0 and STOP/DJVU, and a number of other malware samples (BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader and SmokeLoader).
Blocking BPH Suppliers, an Environment friendly Technique to Battle Towards Cybercrime
BPH suppliers use a spread of methods to evade detection.
Sometimes, they persistently change their autonomous system (AS) and IP handle ranges – web routing protocols used to determine a related system and permit it to speak with others inside the community.
Nonetheless, BPH providers can nonetheless be tracked to supply real-time intelligence. “Observing modifications in BPH infrastructure permits safety groups to remain forward of legal operators and proactively forestall cyber threats,” Intel471 added.
“Focusing on and blocking BPH suppliers might be one of the crucial efficient protection mechanisms from a cost-benefit perspective that may usually halt malicious exercise early within the kill chain.”