- Sophos Reports Bulletproof Hosting Providers Renting VMmanager-Based Servers to Cybercriminals
- Identical Windows Models Leave Thousands of Exposed Servers Exploited for Ransomware and Malware Campaigns
- Infrastructure linked to large groups (LockBit, Conti, BlackCat, Qilin, TrickBot, etc.) and sanctioned Russian host
Bulletproof hosting providers rent cheap infrastructure to cybercriminals, providing them with virtual machines they can use in ransomware attacks, according to a new study.
A Sophos report explains how legitimate services are being leveraged to launch large-scale attacks without the need to build custom infrastructure.
While investigating several ransomware attacks, the team discovered that many attackers were using Windows servers with identical hostnames (a name assigned to a device on a network). Since it was obvious that all of these attacks could not have been carried out by a single attacker, they dug deeper and discovered that the systems were actually virtual machines created from the same predefined Windows templates.
Abuse thanks to foolproof hosting
These were provided by ISPsystem VMmanager, a legitimate virtualization platform apparently widely used by hosting providers. When creating a new virtual machine, the templates do not randomize hostnames, resulting in thousands of unrelated servers across the Internet that end up looking almost identical.
Now, Sophos says cybercriminals are exploiting this, on a massive scale, through bulletproof hosting providers (hosting companies that don’t respond to takedown requests or reports of abuse) that rent VMmanager-based servers to crooks.
Using Shodan, researchers were able to find tens of thousands of servers exposed to the Internet with the same hostnames. Almost all (95%) came from a handful of Windows models, and many were KSM compatible (Windows runs free for 180 days without a license).
Sophos says the servers are linked to major malicious operations: LockBit, Conti, BlackCat (ALPHV), Qilin, TrickBot, Ursnif, RedLine, NetSupport and many others. He also noted that most of the infrastructure was tied to specific hosting companies and singled out two names: Stark Industries Solutions and First Server Limited.
Both are apparently linked to Russian state-sponsored threat actors and have been sanctioned by the EU and UK in the past.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
