- Sophos Reports Bulletproof Hosting Providers Rent VMmanager-Based Servers to Cybercriminals
- Identical Windows templates leave thousands of exposed servers exploited by ransomware and malware campaigns
- Infrastructure linked to large groups (LockBit, Conti, BlackCat, Qilin, TrickBot, etc.) and Russian hosting company sanctioned
Bulletproof hosting providers are renting cheap infrastructure to cybercriminals, providing them with virtual machines they can use in ransomware attacks, according to new research.
A Sophos report explained how legitimate services were abused to launch attacks on massive scales without the need to build custom infrastructure.
While investigating several ransomware attacks, the team discovered that many attackers used Windows servers with identical host names (a name assigned to a device on a network). Since it was obvious that all of those attacks couldn’t have been carried out by a single attacker, they dug deeper and discovered that the systems were actually virtual machines created from the same pre-built Windows templates.
Abuse through bulletproof hosting
These were provided by ISPsystem VMmanager, a legitimate virtualization platform that is apparently widely used among hosting providers. When creating a new virtual machine, the templates do not randomize the hostnames, resulting in thousands of unrelated servers on the Internet ending up looking almost identical.
Now, Sophos says that cybercriminals are exploiting this, at scale, through bulletproof hosting providers (hosting companies that do not react to takedown requests or abuse reports) that rent VMmanager-based servers to criminals.
Using Shodan, researchers managed to find tens of thousands of servers exposed to the Internet with the same host names. Almost all (95%) came from a handful of Windows templates and many were KSM-enabled (Windows runs free for 180 days without a license).
Sophos says the servers are linked to major malicious operations: LockBit, Conti, BlackCat (ALPHV), Qilin, TrickBot, Ursnif, RedLine, NetSupport and many others. He also said that most of the infrastructure was tied to specific hosting companies and highlighted two names: Stark Industries Solutions and First Server Limited.
Both are reportedly linked to Russian state-sponsored threat actors and have been sanctioned by the EU and the UK in the past.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
