The Bulletproof Hosting: Unmasking Threat Actors’ Haven
Bulletproof hosting (BPH) is a web hosting service that allows customers to host any content without significant restrictions. BPH is often used for illegal activities such as hosting phishing sites, online casinos, spam distribution sites, and adult-content websites. These hosting services are more expensive than regular ones and are often found in countries with lenient laws concerning law enforcement, data and computing regulations, and extradition. This makes it easier for BPH providers to operate without interference from law enforcement.
Even if BPH providers were found to be hosting malicious content, they would either ignore abuse requests or give an early warning to customers of such requests so they have time to adapt their business to avoid suspicion. In some cases, they also provide additional features that would allow the perpetrator of these activities to hide their true identity from investigators.
The most popular BPH providers are Horizon LLC, Galaxy LLC, Partner LLC, YalishandaBlack Host, Void Griffin, Flokinet, TheOnionHost, and Shinjiru to name a few.
How Does Bulletproof Hosting Work?
Bulletproof hosting providers operate in countries that have lax or non-existent laws related to cybercrime. They rent out servers to customers who engage in illegal activities and offer them protection from law enforcement authorities by ensuring that their identities remain anonymous. Bulletproof hosting providers typically operate under multiple layers of security, including encryption, firewalls, and anti-DDoS protection.
The servers used by bulletproof hosting providers are often located in countries that do not have extradition treaties with other countries. This makes it difficult for law enforcement authorities to seize the servers or prosecute the individuals behind the illegal activities. Bulletproof hosting providers also use offshore bank accounts and anonymous payment methods to further protect their identities.
Implications of Using Bulletproof Hosting
The use of bulletproof hosting has several implications, both for the users and the broader online community. For users, bulletproof hosting provides a high level of anonymity and protection, which allows them to engage in illegal activities without fear of being caught. However, there are risks associated with using bulletproof hosting services. For example, users may be vulnerable to attacks by other cybercriminals, and their personal information may be compromised.
From a broader perspective, the use of bulletproof hosting has severe implications for online security. Websites hosted on bulletproof servers can distribute malware, engage in phishing, and other types of online fraud, which can lead to significant financial losses for individuals and organizations. The use of bulletproof hosting also undermines efforts to combat cybercrime and makes it more difficult for law enforcement authorities to track down and prosecute cybercriminals.
Risks of Bulletproof Hosting
Bulletproof hosting poses significant risks to online security and the efforts of law enforcement agencies to combat cybercrime. Some of the risks associated with bulletproof hosting include:
- Facilitation of cybercrime: Bulletproof hosting services provide a safe haven for cybercriminals to carry out illegal activities, such as hacking, phishing, spamming, and malware distribution.
- Harm to online users: Cybercriminals who use bulletproof hosting services can launch attacks that compromise the privacy, security, and financial well-being of online users.
- Damage to legitimate businesses: Bulletproof hosting services can also harm legitimate businesses by facilitating the distribution of counterfeit goods, intellectual property theft, and illegal marketplaces.
- Undermining law enforcement: Bulletproof hosting services can undermine the efforts of law enforcement agencies to combat cybercrime by providing a safe haven for cybercriminals.
How can Bulletproof Hosting Services enable cybercrime?
Malicious infrastructure providers known as bulletproof hosting services (BPH) are key enablers of financially motivated cybercrimes such as intrusions, malware, phishing, ransomware, and many others.
BPH delivers an array of criminal services that, unlike legitimate hosting providers, permit and support a wide range of illicit activities. Tracking these services can be especially useful for security teams seeking to proactively prevent cyber threats. These findings give analysts insight into the infrastructure set aside for malicious activity, as well as details about the activity itself.
Consider a threat actor relying on a particular BPH service for command and control of secondary malware, such as Cobalt Strike (CS). By focusing on the BPH infrastructure, organizations can learn what they need to defend against before a possible attack. Observing changes in BPH infrastructure also allows security teams to stay ahead of criminal operators before they have a chance to set their sights on their infrastructure.
Bulletproof Hosting operations structure
Dedicated bulletproof servers:
BPH providers make their infrastructure appear as legitimate as possible to avoid getting attention from law enforcement and make their servers as “takedown-proof” as possible. Cybercriminals often choose these services to host phishing, spam, and evil twin sites as they can maintain them for as long as possible.
Compromised dedicated servers:
BPH providers may choose to compromise dedicated servers, then rent these out to third parties who wish to host malicious content. However, this is mostly temporary; once the previous owners of the compromised server detect the anomaly, the BPH providers no longer use the server to evade detection.
The cheapest alternative for most is hosting on compromised assets, although this has the downside that the hosts only remain operational for a short time. Hosting providers with in-house data centers and infrastructure are more suitable for systems requiring long-term availability.
Abused cloud-hosting services:
Given the popularity of cloud hosting, BPH providers have also been observed to host content utilizing legitimate services such as Amazon AWS. These Legitimate providers may restrict the hosting of malicious content on their dedicated servers, but some of their customers will still find ways to abuse their infrastructure. Abusive customers are only stopped if they are reported and consequently blacklisted.
Bulletproof Hosting Architecture
The below diagram illustrates how threat actors leverage the services of BPHs:
Content Hosted on Bulletproof Hosting
Types of content usually hosted on Bulletproof hosts:
● Fake shopping sites
● Phishing kits
● Torrent file download sites
● Malware files
● Blackhat search engine optimization (SEO) pseudo sites
● Brute-forcing tools
● Command & Control components
● Virtual private networks (VPNs)
● Warez forums
● Files that violate the Digital Millennium Copyright Act (DMCA)
● Spam
Challenges with Bulletproof Hosting
Taking down sites on bulletproof hosting services is challenging, as many of these sites are operated in countries without the same regulatory framework as the United States, where content is strictly monitored. Several bulletproof hosting sites can be linked to activities in Eastern European nations, Russia, or China, where governmental authorities are less likely to intervene to minimize the risk of being blacklisted or shut down.
Below are some techniques used by dubious BPH owners to evade suspicion from authorities:
Fast Flux:
Fast flux is a DNS technique where IP addresses tied to a particular domain are quickly changed or swapped out to hide malicious activity from defensive measures. Once in use, the domain names tied to the quick-changing IP addresses serve as a proxy to carry out all sorts of cybercriminal activity.
Hidden Data Centers:
Bulletproof hosting poses a significant threat to online security, as it enables cybercriminals to conduct their illegal activities without being detected or disrupted. Some of the risks associated with bulletproof hosting include: BPH via data centers are hosting services that own and maintain their hardware/servers but go to great lengths to conceal their customers’ identity, and location and prevent law enforcement from shutting them down. Services can be provided that ultimately use hardware from a compromised service provider or an outfit that bribes officials or police to look the other way. Some of the world’s most well-known BPH data centers are found in Ukraine, Seychelles, and Belize, where law enforcement is notorious for corruption or a lax attitude to upholding the law.
Falsified/stolen identities:
With this method, such hosts use fake or stolen information to purchase their company’s IP addresses and servers to hide their real identities from any law enforcement agencies.
Residential and mobile carrier IP/Proxy:
Residential IPs are default IPs assigned by ISPs, while mobile IPs are those assigned to a cellular network. As such, these are commonly used by bulletproof hosts because they often rotate between users and ISPs and online retailers are much less likely to ban these IP addresses.
Bribery:
Bribing local authorities and officials of countries where law enforcement is not strict to shield themselves from regulatory action.
Remediation
The remediation of bulletproof hosting requires a multifaceted approach that involves cooperation between law enforcement agencies, hosting providers, and online platforms. Some of the potential remedies that can be implemented include:
● Strengthening laws: Governments can enact strict laws that prohibit the provision of bulletproof hosting services and impose severe penalties on those who violate these laws.
● Collaboration with hosting providers: Law enforcement agencies can collaborate with hosting providers to identify and shut down bulletproof hosting services. Hosting providers can also implement stricter policies and procedures to prevent the use of their services for illegal activities.
● Enhancing online security: Online platforms can enhance their security measures to detect and prevent the distribution of illegal content, such as malware, spam, and phishing emails.
● Raising awareness: Raising awareness about the risks associated with bulletproof hosting can help individuals and businesses to be more vigilant and take appropriate measures to protect themselves.
Conclusion
Bulletproof hosting services pose significant risks to online security and the efforts of law enforcement agencies to combat cybercrime. Their remediation requires a coordinated effort between governments, hosting providers, online platforms, and online users. By taking proactive measures to combat bulletproof hosting, we can create a safer and more secure online environment for everyone.
