- Sophos reports that bulletproof hosting providers are renting VMmanager-based servers to cybercriminals
- Identical Windows templates leave thousands of vulnerable servers exploited for ransomware and malware campaigns
- Infrastructure linked to major groups (LockBit, Conti, BlackCat, Qilin, TrickBot, etc.) and sanctioned Russian hosting company
Bulletproof hosting providers are leasing cheap infrastructure to cybercriminals and giving them virtual machines to use in ransomware attacks, new research has found.
A report by Sophos explained how legitimate services were misused to launch attacks on a massive scale without the need to build custom infrastructure.
While investigating several ransomware attacks, the team discovered that many attackers used Windows servers with identical hostnames (a name assigned to a device on a network). When it was obvious that all these attacks could not have been carried out by a single attacker, they dug deeper and found that the systems were actually virtual machines created from the same pre-built Windows templates.
Abuse through bulletproof hosting
These were provided by ISPsystem VMmanager, a legitimate virtualization platform that is apparently widely used among hosting providers. When creating a new VM, the templates do not randomize hostnames, resulting in thousands of unrelated servers on the Internet ending up looking almost identical.
Now Sophos says cybercriminals are exploiting this on a large scale through bulletproof hosting providers (hosting companies that don’t respond to takedown requests or abuse reports) who rent out VMmanager-based servers to bad guys.
Using Shodan, the researchers managed to find tens of thousands of Internet-exposed servers with the same hostnames. Almost all (95%) came from a handful of Windows templates, and many were KSM-enabled (Windows runs free for 180 days without a license).
Sophos says the servers are linked to major malicious operations: LockBit, Conti, BlackCat (ALPHV), Qilin, TrickBot, Ursnif, RedLine, NetSupport and many others. It also said most of the infrastructure was tied to specific hosting companies, highlighting two names – Stark Industries Solutions and First Server Limited.
Both are apparently linked to Russian state-sponsored threat actors and have previously been sanctioned by the EU and the UK.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
