Saturday , February 15 2025
chart
Image: intel471

Bulletproof Hosting: A Critical Cybercriminal Service

Cybercriminals now offer services and products to other cybercriminals is a significant development in the last two decades.

Cybercrime-as-a-service has made it easier for criminals to get into cybercrime, allowing them to specialize and commit crimes on a larger scale. For instance, instead of coding malware, a criminal can buy it in underground markets.

Xploit_Cr3w and Blind_Virus, champion for BCS CTF contest

Xploit_Cr3w and Blind_Virus are the two champion teams categorically for BCS ICT Fest 2025 arranged jointly by BCS and BUET....
Read More
Xploit_Cr3w and Blind_Virus, champion for BCS CTF contest

Salt Typhoon Exploits Vulnerable Cisco Devices of Telcoms Globally

Between December 2024 and January 2025, Recorded Future's Insikt Group discovered a campaign targeting unpatched Cisco devices used by major...
Read More
Salt Typhoon Exploits Vulnerable Cisco Devices of Telcoms Globally

CISA Releases Advisories For 20 Industrial Control Systems (ICS)

On February 13, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued 20 advisories about serious vulnerabilities in Industrial Control...
Read More
CISA Releases Advisories For 20 Industrial Control Systems (ICS)

“Astaroth” Phishing Kit Bypasses 2FA Of Gmail, Yahoo, AOL, M365

The new Astaroth Phishing Kit can bypass two-factor authentication to steal login credentials for Gmail, Yahoo, and Microsoft. It uses...
Read More
“Astaroth” Phishing Kit Bypasses 2FA Of Gmail, Yahoo, AOL, M365

CVE-2023-38831
Malware campaign target Bangladeshi Government Entities: Report

A sophisticated malware campaign is targeting military and government entities in Bangladesh. It uses social engineering to deliver malicious files...
Read More
CVE-2023-38831  Malware campaign target Bangladeshi Government Entities: Report

(CVE-2025-1146
CrowdStrike Fixed High-Severity TLS Vuln in Falcon Sensor

CrowdStrike has issued a security advisory for a serious TLS vulnerability, CVE-2025-1146, in its Falcon Sensor for Linux, Falcon Kubernetes...
Read More
(CVE-2025-1146  CrowdStrike Fixed High-Severity TLS Vuln in Falcon Sensor

CVE-2025-0108 & CVE-2025-0110
Palo Alto Networks Addressed High-Severity PAN-OS Vulns

Palo Alto Networks has issued advisories for two critical vulnerabilities in its PAN-OS. The vulnerabilities, CVE-2025-0108 and CVE-2025-0110, may enable...
Read More
CVE-2025-0108 & CVE-2025-0110  Palo Alto Networks Addressed High-Severity PAN-OS Vulns

Update Now
Ivanti Patches 3 Critical Flaws in Connect Secure and Policy Secure

Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC)...
Read More
Update Now  Ivanti Patches 3 Critical Flaws in Connect Secure and Policy Secure

This Adtech Company is Powering Surveillance of U.S. Military Personnel

Last year, a joint investigation revealed that a Florida-based data broker, Datastream Group, was selling highly sensitive location data that...
Read More
This Adtech Company is Powering Surveillance of U.S. Military Personnel

Intel Patched 374 Vulnerabilities in multiple products

In 2024, Intel addressed a remarkable 374 vulnerabilities across its software, firmware, and hardware products, distributing bug bounty rewards for...
Read More
Intel Patched 374 Vulnerabilities in multiple products

According to cyber threat intelligence firm Intel471, Botnet operators distribute malware by offering spamming services to send it to victims. The victims’ email addresses are bought from vendors who trade and sell data breaches. Spam and malware need to be sent from and hosted somewhere on the internet. This shows that connectivity is a basic requirement for cybercrime because criminals need internet access to commit crimes.

ISPs are important in stopping harmful activity. They accept abuse complaints from various sources, such as law enforcement agencies and security researchers. If a machine on their network is spreading malware, it can be shut down and the offender’s account can be terminated.

If a service provider doesn’t respond to an abuse request, it becomes difficult to cut cybercriminals off from the internet. This is especially true when the organizations providing connectivity are unresponsive shell companies with false registration information. These companies offer “bulletproof” hosting (BPH), which is highly desired by malicious hackers, spammers, malware distributors, and botnet operators. BPH allows cybercriminals to engage in harmful activities for a certain period of time without being shut down or facing significant risks.

Stopping BPH online is difficult. Providers use tricks to avoid being permanently removed from the internet, adapting to local laws and preventing certain illegal activities to avoid shutdown attempts.

More resilient and obfuscated network arrangements may allow for riskier types of crime, such as credit card fraud or phishing pages. BPH providers often operate in regions where law enforcement may have less interest or few resources to investigate their operations.

BPH providers make it hard to take down and report abuse by using complex technical arrangements. This includes buying IP address ranges from other bulletproof providers, using fast-flux hosting, and routing malicious traffic through changing proxy and gateway servers in different areas. BPH services can also be persistent, as some have been run by known threat actors for a decade or longer.

The goal of cybersecurity defenders is to stop cyber attacks as soon as possible. A crucial aspect is to prevent communication with malicious domains and services, which are often hosted on BPH providers. If an organization can identify the IP addresses or autonomous systems of BPH providers, they can block them from accessing their network, preventing employees from clicking on harmful links.

BPH services consistently change their ASs and IP ranges. Tracking these changes can allow defenders to quickly block access to new networks. For example, if a threat actor that has long been known to run BPH services and creates a new front company linked to a new but very small AS, it’s possible to say with high confidence that any of those IP addresses are likely to be malicious and thus safe to completely block. This type of high confidence and high-fidelity threat intelligence is possible because of the collection of historical technical intelligence and continued adversary monitoring.

The chart below shows how technical indicators related to BPH change. IOCs and IP/domains change frequently, but BPH services can still be tracked for real-time intelligence. By monitoring changes in BPH infrastructure, security teams can stay ahead of criminals and proactively prevent cyber threats. There are also more stable data points, like ASNs, front companies, and threat actors, that can be used to accurately predict malicious activity. Click here to find more.

Check Also

Zuckerberg

Everything I Say Leaks,’ Zuckerberg Says in Leaked Meeting Audio

At an all-hands meeting at Meta on Thursday, Mark Zuckerberg did not mention the company’s …

Leave a Reply

Your email address will not be published. Required fields are marked *