- Sophos reports bulletproof hosting providers renting VMmanager-based servers to cybercriminals
- Identical Windows templates leave thousands of exposed servers exploited for ransomware and malware campaigns
- Infrastructure linked to major groups (LockBit, Conti, BlackCat, Qilin, TrickBot, etc.) and sanctioned Russian hosting firm
Bulletproof hosting providers are renting cheap infrastructure to cybercriminals, providing them with virtual machines they can use in ransomware attacks, new research has found.
A report from Sophos explained how legitimate services were being abused to launch attacks at massive scales without the need to build custom infrastructure.
Whilst investigating several ransomware attacks, the team discovered many attackers were using Windows servers with identical hostnames (a name assigned to a device on a network). Since it was obvious that all those attacks couldn’t have been done by a single attacker, they dug deeper and found that the systems were actually virtual machines created from the same prebuilt Windows templates.
Abuse through bulletproof hosting
These were supplied by ISPsystem VMmanager, a legitimate virtualization platform that’s apparently widely used among hosting providers. When they create a new VM, the templates don’t randomize hostnames, resulting in thousands of unrelated servers on the internet ending up looking almost identical.
Now, Sophos says cybercriminals are exploiting this, at scale, through bulletproof hosting providers (hosting companies that don’t react to takedown requests or abuse reports) which rent out VMmanager-based servers to crooks.
Using Shodan, the researchers managed to find tens of thousands of internet-exposed servers with the same hostnames. Almost all of them (95%) came from a handful of Windows templates, and many were KSM-enabled (Windows runs free for 180 days without a license).
Sophos says the servers are linked to major malicious operations: LockBit, Conti, BlackCat (ALPHV), Qilin, TrickBot, Ursnif, RedLine, NetSupport, and many others. It also said most of the infrastructure was tied to specific hosting companies, and singled out two names – Stark Industries Solutions, and First Server Limited.
Both are apparently linked to Russian state-sponsored threat actors and have been sanctioned by the EU and UK in the past.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/TWkP7ZurZMY6uepDxsK6Ha-970-80.jpg
Source link
