CyberWire Daily - Bulletproof hosting (BPH) and how it powers cybercrime. [Research Saturday]
Episode Date: April 24, 2021Guest Jason Passwaters of Intel 471 joins us to discuss his team's research into bulletproof hosting (BPH). The research team at Intel 471 defined what a typical BPH service offers and how these servi...ces can be stopped in order to limit the damage they have on enterprises, businesses and digital society itself. They examined some popular malware families that actors host or leverage via BPH services. While much more goes into a cybercriminal’s full operation, it would be vastly more difficult to pull off without the ability to host malware and be free from impunity. Finally, they listed of some of the BPH providers that are firmly entrenched in the cybercrime underground and how they give support to other cybercriminal enterprises. By recognizing their behaviors, security teams can begin to take measures to figure out who the actors are, how they operate and what their infrastructure looks like. By doing so, organizations can begin to uncover ways to proactively counter maliciously-used infrastructure before criminals have a chance to launch their attacks. The blog posts can be found here: Hiding in plain sight: Bulletproof Hosting’s dueling forms Bulletproof hosting: How cybercrime stays resilient Here’s who is powering the bulletproof hosting market Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers
and analysts tracking down threats and vulnerabilities, solving some of the hard
problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
I guess in its kind of rawest definition, it's really just infrastructure that is used for malicious purposes.
That's Jason Passwaters. He's COO at Intel 471. We're discussing their research on bulletproof hosting.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024, these traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink
your security. Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
security. keep it up and running longer, and then they can make adjustments if there's any kind of takedown attempts. But Bulletproof Hosting as a service is kind of broader in the sense that they provide anything from domain registration, server administration, stuff like that, help desk,
as well as most services now are providing not only like back-end infrastructure,
as well as most services now are providing not only like back-end infrastructure,
but also a front-end kind of reverse proxy net that serves as a protection layer.
So it's kind of more of a broader or a larger business model.
So in the past, if someone wanted to do this sort of thing, they would tend to roll their own and find someone who'd be willing to let them
hose their own server up to the internet?
Yeah, I mean, bulletproof hosting has been around since cybercrime has been around.
If you go back to the mid-2000s, some of the same actors in the game today were back then doing the same.
And they would just have their infrastructure in hard-to-reach places and hard-to-identify different things they were doing to hide things.
And over time, with takedowns, with things that have exposed how they operate,
they have evolved and made changes.
And that's why you see that two-sided setup
where they've got the back end of a structure
and they'll have a reverse proxy net or some kind of botnet that sits in front as well.
Well, let's go through some of the things that you've covered here in the research.
One of the highlights here is you talk about the power of fast flux. Can you take us through
what exactly does that mean? Yeah, so the fast flux has been around for quite some time. And
essentially what it's doing is there's two types, main types.
The first is kind of VPS-based,
basically servers that are set up with different providers.
And the bad guys will leverage automation
to rotate the domains across that pool of IP addresses.
They've got another type.
It's more bot-based.
So malware-infected machines are acting as proxies.
And they'll rotate the domain names that are associated
across all of those IPs at some high frequency
to help add some resilience to identifying the infrastructure
and takedown and stuff like that.
Help me understand, because they're rotating these quickly,
I mean, in a matter of minutes, right?
Yeah, in some cases it could be minutes,
but in the case of when you have somebody that's doing more,
like one provider specifically abuses cloud providers
and he maintains a huge pool of IP addresses
and he'll rotate the domains at different frequencies
and they won't necessarily be super fast
and it might be as long as that instance stays alive
until the cloud provider identifies it
and takes it down, and then another one takes its place.
In the case of FastFlux, when there's bots involved,
they're actually having a small time to live on the DNS record side
so that it automatically changes.
You have a pool of IP addresses that are within seconds.
It could be 90 seconds, it could be a little bit longer changing across the entire botnet.
Well, help me understand.
Wouldn't they have issues with propagation with the domains,
the propagation of the alignment of the domain name with the IP address?
Wouldn't there be a lag with that, or is that not really an issue these days?
No, I don't think it's an issue these days.
That time to live helps with the propagation
as far as how DNS works and stuff.
It's been pretty resilient.
It's been around for a while.
They really have two versions on the bot side.
There's DoubleFlux, and then there's just regular fast flux
the double flux is even more resilient
because the name servers themselves
that you're asking for resolution
also are on the botnet as well
so you've got not only the bots that are dealing with the A records
which is domain to IP mapping
but it's also the NS records,
which is the name servers used to resolve it.
So they're also kind of fluxing as well,
so it makes it twice as hard sometimes.
And this is a tough one to stop, yes?
Yep, very much.
Especially when, right now,
I think there's only one actual double-flux hosting framework
that's out there for Bulletproof hosting that we're aware of.
They leverage hard-to-reach places as far as core infrastructure.
Even the bots that are on the front end, if you will,
you don't see them as much in the United States.
You don't see them in Canada and different countries.
You'll see it a lot in, you know,
you'll see it in Ukraine and Romania. And the purpose is just to kind of proxy back to
the kind of back end. Well, and I mean, that transitions into sort of the physical location
of the data centers themselves, which is a big part of that. I mean, they're setting these things
up in places that have a certain amount of flexibility
when it comes to law enforcement, I suppose.
Yeah, for sure.
I mean, there's kind of a range.
You know, you'll have some providers
that just don't have the capabilities to respond
and, you know, they're not necessarily bad
or partaking in the activity.
They just don't know and they don't know how to respond
if they do figure it out.
And then the full other side would be more providers
that have their quote data centers.
And we've seen a couple of those
where they have all their own core infrastructure
even down to having their own AS, autonomous system number,
their own prefixes and companies that kind of associate with this infrastructure.
And so what can the rest of the online community do
to try to tamp this down?
I think it's really tracking this kind of activity,
the threat actors associated with it.
The way it can be beneficial is if you can map out the infrastructure
and tie it back is you kind of go back from a single domain
or a single IP address and you can go up the chain
to a net block or a prefix, a whole group of IP addresses.
If you've associated that with, say, a bulletproof hosting service,
you've got kind of swaths of space that you can block or alert to
once you have a confidence in that linking back
to a malicious service.
And then to be proactive, you could look at the AS level
and proactively monitor BGP messages
to identify new prefixes or new blocks of IPs
that come up under that infrastructure when it happens.
And then proactively alert to that if you see it on your network
instead of just kind of whackable with single IP addresses sometimes.
The reverse proxy net or the fast flux stuff, it's a little bit harder.
It is going to be single IPs.
the fast flux stuff, it's a little bit harder.
It is going to be single IPs.
And if you have vendors,
obviously they can provide that kind of stuff. It would be more advanced type tracking and research
to kind of see that.
Can you give us a sense of the kind of spectrum of offerings
that are out there?
I mean, are there varying degrees of bulletproofness
depending on what people need?
Yep.
It depends on basically what people need
as far as the activity they're doing.
They've got some very noisy stuff
that is going to be maybe high bandwidth needs.
They have solutions for that.
If they're going to need, just like I said, that kind of protection layer,
let's take a ransomware blog, for example.
They might hide it behind one of these fast flux setups.
Now, if you need core infrastructure, say C2 infrastructure
that needs to sit on an actual server somewhere,
they'll have backend hosting for that as well.
And that'll typically be in hard to reach places
that we've seen, obviously Russia, parts of Ukraine
or Eastern Ukraine is a big one sometimes
because it's a bit of a contested area right now
and hard to reach.
And I think it's Transnistria between Moldova and Ukraine.
That's a popular place as well.
Yeah, folks have other things on their minds, I suppose,
than chasing down these servers.
Yep.
Yeah.
So to what degree do these have the attention of law enforcement?
I mean, there's this story not long ago about the cyber bunker,
which was a very dramatic kind of thing.
I mean, are there takedowns of these?
Is this, like so many things, one of those games of whack-a-mole?
I think it definitely is on the radar of law enforcement.
Every time you see the same infrastructure pop up
or the same kind of core infrastructure pop up with different stuff,
it's tough to, I think, quantify the significance
that, say, something like a bulletproof poster might play
across cybercrime in general.
So that's tough.
But I do think that there is a tension.
There are takedowns.
I mean, there's a number of takedowns that have happened.
You know, Avalanche Botnet was one.
One of the bulletproof hosting services in Ukraine, SoSweet, that was another one.
And it's interesting because when you take down a core enabler like this, or you impact a core enabler, it has a reverberating effect across different aspects of cybercrime.
What happens is, even in the marketplace that we watch and track,
you'll see that manifest itself with the service themselves
doing damage control.
You'll see it with other malicious hosting providers
providing specials and basically saying,
hey, sorry for my competition's situation.
We feel for him, but we're offering a special.
And then you see it with actors that are complaining.
Because when infrastructure suddenly goes down,
everybody starts to complain about why I can't access my servers
or why all my ops are pretty much paused.
So it's interesting to see that.
So you see that kind of wider effect.
And I think the point is that when you affect a core enabler like this,
it has deeper, probably more lasting impact.
Do the different providers have varying degrees of reputation
or some known for their uptime?
Do all of those apply to these folks as well?
Yeah, absolutely. Reputations are maintained in the marketplace.
If you don't have support personnel that are interacting with
the market and the clients,
you're going to get dinged for that.
If uptime is bad, you're going to get dinged for that.
It's just like any other hosting service.
It has all the same challenges, from dealing with customers and clients
to scaling the business, you name it.
Our thanks to Jason Passwater from Intel 471 for joining us.
We'll have links to their research on bulletproof hosting in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.