Table of Contents
Building an effective cyber defense requires understanding the tactics, techniques, and procedures used by cybercriminals. Much of their strategy lies in being covert. In a previous article, we discussed how attackers hide their payloads, why attack attribution is so difficult, and how reverse engineering malware helps defenders implement better security.
In this article, our team of ethical hackers explores how attackers use illicit cloud infrastructure services known as "BulletProof Hosting" to power their criminal exploits and how defenders can use this knowledge to improve their defensive security posture with practical solutions.
Let's get started:
What Are BulletProof Hosting Services?
The term "BulletProof Hosting" (BPH) refers to cloud infrastructure as a service (IaaS) provider that offers services designed to resist efforts by law enforcement to protect criminal online activity. While cybercrime is not the only illicit activity BPHs enable, they significantly contribute to protecting the anonymity of prolific hackers to assist them in avoiding accountability. The term "Bulletproof" suggests the ability to maintain operations despite efforts to shut them down.
Anyone who extensively uses cloud services is likely aware of the terms of service policies that customers must agree and adhere to when leasing IaaS. Organizations who have experienced a breach may be keenly aware of these policies if their accounts have been banned after hackers compromised their assets and used them for illegal activities.
Contrastingly, BPH services do not enforce such strict policies about what their infrastructure can be used for or what can be stored on their servers and strategically operate in nations with lenient or lack of regulation governing cybercrime and don't have extradition treaties for international criminals. The way BPHs function makes it difficult for international law enforcement to prosecute their operators, let alone the hackers who use their services for the cloak of anonymity and lack of accountability.
The most prolific and notorious BPH provider "Yalishanda" (aka "Downlow" and "Stas_vl") is a Russian national who has been operating for well over a decade.
The Most Common Malicious Uses For BulletProof Hosting
For full context, legitimate cloud hosting services such as Alibaba, Amazon Web Services (AWS), Google Cloud, and others, are also commonly abused by malicious actors to accomplish the same goals as BPHs. Hacked websites, short-term trial accounts, and stolen credit cards are some common ways that reputable IaaS providers are taken advantage of by hackers.
In response to this trend, AWS has implemented measures including honeypots and algorithms to detect accounts being used for malicious purposes. However, as the name suggests, the most prolific hacking groups prefer BulletProof Hosting for its reliability.
Here is a list of the most common ways cyber threat actors use BulletProof Hosting services:
Command and Control (C2) Servers: Utilizing BulletProof Hosting to manage remote access to compromised systems or sometimes entire botnets. C2 servers send the hacker's commands to infected devices, receive exfiltrated stolen data from compromised systems, and can deploy ransomware
Hosting Malware Payloads: Storing various types of malware, such as ransomware, spyware, or Trojans, all of which can be downloaded to victim devices
Proxying Illegal Traffic: Using the hosting service to proxy or redirect illegal internet traffic, masking the origin of the traffic and evading detection
Phishing And Spam Campaigns: Hosting phishing websites designed to mimic legitimate websites and email servers for distributing phishing emails and malspam to steal sensitive information like login credentials and credit card details
Hosting Illegal Marketplaces: Providing a platform for dark web forums and illegal marketplaces dealing drugs, weapons, stolen data, and other illicit goods and services such as exploit kits or malware as a service
Launching DoS Attacks: IaaS can also be for Denial of Service (DoS), Distributed Denial of Service (DDos) and numerous other forms of cyberattacks. Especially in cases such as the recent HTTP2 DoS vulnerability dubbed "Rapid Reset Attack" that allows high amplification, BulletProof Hosting services are well suited for the job
Anonymizing Malicious Activities: Offering services that help cybercriminals anonymize their activities, making it difficult for authorities to trace illegal actions back to the perpetrators. For example, both VPN and TOR services facilitate anonymous online activity, helping cybercriminals avoid accountability
Defending Against BulletProof Hosting Services
Targeting BPHs with mitigation efforts is highly attractive from a cost/benefit perspective. Security teams with insight about BulletProof Hosting services can proactively block potentially malicious activity and save their company a lot of money. Here's how:
The process of selling IP blocks to Infrastructure as a Service (IaaS) providers and the subsequent tracking of an IP address back to its owner is a multi-step process. This process is crucial for network security, particularly for defenders aiming to evaluate and potentially block connections to suspicious IP addresses, including those associated with BulletProof Hosting services.
How IP Addresses Are Assigned
Regional Internet Registries (RIRs) are responsible for allocating IP address blocks. These organizations, which include ARIN (North America), RIPE NCC (Europe), APNIC (Asia-Pacific), LACNIC (Latin America and the Caribbean), and AFRINIC (Africa), manage the distribution of IP addresses in their respective regions. IaaS providers apply to RIRs for IP blocks. These providers must justify their need for IP addresses based on the services they offer and their projected growth.
Organizations that typically own IP address blocks include government and education institutions, Internet Service Providers (ISP), IaaS providers/cloud hosting services, and large IT companies such as Google, Amazon, Microsoft, and more. Once assigned to an organization, the IP addresses can be allocated to infrastructure components publicly accessible via the Internet such as servers, services, and cloud resources.
Blocking BulletProof Hosting Services by IP Address
Identifying Malicious IPs:
Threat Intel Services: Defenders often use threat intelligence services and databases to identify IP addresses associated with malicious activities, including those used by BulletProof Hosting providers
IP Reputation Lists: Many organizations maintain and share lists of IP addresses owned by a BulletProof Hosting service, hosting malicious content, or other nefarious activities. These lists can be used to update firewall and network security rules
Implementing Blocks: Once identified, these IP addresses or entire blocks can be blocked at the network perimeter, preventing connections to and from these known bad actors
Continuous Monitoring and Updating: Since IP address usage can change, continuous monitoring and regular blocklist updates are necessary to ensure effectiveness and minimize false positives
This article reviewed the role that BulletProof Hosting (BPH) services have as facilitators of various cybercriminal activities. By operating on the fringe of legality in countries that resist law enforcement efforts, BPHs enable cyber threat actors to maintain anonymity and conduct operations ranging from hosting malware and phishing campaigns to orchestrating cyber attacks.
We examined how IP blocks are sold to IaaS providers and the significance of tracking these IPs back to their owners for enhanced network security. Reducing the risk that BPHs pose is considered a high-value cybersecurity activity. The process primarily involves identifying and blocking suspicious IP addresses that are actively associated with malicious activity or known to be owned by an entity operating on the edge of legitimacy.
Ready to put knowledge about defending against BulletProof Hosting providers into action? Reach out to our team today for your free, zero-obligation quote.
Sign up for our newsletter
Get the latest blog posts in your inbox biweekly!