Bulletproof Hosting Services Essential for Criminal Underground Security and Anonymity
January 12, 2021 • Insikt Group®
Recorded Future analyzed current data from the Recorded Future® Platform, dark web, information security reporting, and other open-source intelligence (OSINT) sources to identify the use and prevalence of bulletproof hosting services advertised by threat actors within the criminal underground. This report expands upon findings addressed in the report “Automation and Commoditization in the Underground Economy,” following reports on database breaches, checkers and brute forcers, loaders, and crypters, credit card sniffers, banking web injects, exploit kits, and forums, marketplaces and shops. This report will be of most interest to security researchers charged with security risk management and mitigation.
Bulletproof hosting services (BPHS) provide secure hosting for malicious content and activity and assure anonymity to threat actors. This typically consists of activities commonly disallowed by legitimate hosting providers such as the hosting of malware or other stolen materials. BPHS offerings have continued to flourish across open and closed sources, providing a variety of features to aspiring actors interested in hosting a variety of potential services away from the attention of law enforcement. BPHS offerings are still consistently discussed on dark web forums and continue to be a critical tool for criminal actors attempting to anonymize both their digital footprint as well as that of their infrastructure.
Partnerships between organized cybercriminal entities such as ransomware cartels and bulletproof hosting services have persisted throughout 2020. This report provides a high-level overview of six providers offering varying degrees of services to cybercriminal entities. Unlike regular web hosting, these services are often lenient about what can be hosted on their servers, only restricting particular services if they are likely to generate abuse complaints from authorities within the country where they are hosted. Countries that continue to be popular locations for bulletproof hosting services include Russia, Ukraine, and other Commonwealth of Independent States (CIS) nations, though historically one of the largest hosting service providers, McColo, responsible for 60 percent of the world’s spam when taken down, was based in the U.S.
Bulletproof hosting providers are presented with a number of options when confronted with a notification alleging abusive behavior at one of their IP addresses. The options typically include either ignoring the request altogether or providing early notification to customers so they have time to alter their operations and avoid downtime. A key process of avoiding legal ramifications is creating a process that drags out the complaint procedure to the point when the request is often abandoned by the third party.
- Bulletproof hosting services have increasingly appealed to ransomware operators attempting to avoid the attention of law enforcement.
- Prominent bulletproof hosting services with an established reputation within the cybercriminal community such as Yalishanda continue to enable the dissemination of more advanced strains of malware.
- Despite the threat of arrests and seizures of malicious infrastructure by law enforcement, bulletproof hosting service providers have continued to actively promote their services within the criminal underground throughout 2020.
- While there are many features in demand by aspiring cybercriminals when selecting a BPHS, the most popular features are those that combine client anonymity and security against law enforcement efforts.
- Cybercriminals supplement their BPHS operations by purchasing already compromised network access and reselling them via dark web/underground sources.
Section I. Background and Function of a BPHS
The term “bulletproof” refers to the ability of these services to enable criminal businesses to operate unhindered for extended periods of time while ignoring the many abuse requests likely to arrive from legitimate service providers or law enforcement entities. To keep their criminal enterprise running smoothly, threat actors can choose from a myriad of services providing bulletproof hosting and proxy services. This large volume of offerings has created a competitive landscape for bulletproof hosting providers attempting to draw attention to their specific service. There now exist several features that threat actors are very likely to consider essential when selecting a particular service, features primarily focused on enabling the actors to maintain a strong degree of anonymity and preventing their business operations from being disrupted.
To extend the longevity of their criminal enterprises, threat actors have turned to proxy and bulletproof hosting services to help obfuscate their activities and to keep them from being shut down by law enforcement. One of the greatest distinctions between bulletproof hosting service (BPHS) operations and the services offered by a “regular” web hosting provider is the leniency they grant toward the data they allow to be hosted on their servers. Previous Recorded Future research has shown that such services often use geo-spoofing techniques to create a wide pool of IPs and are commonly advertised on both entry-level and highly-technical underground sources.
Dedicated bulletproof hosting providers typically have three primary methods of creating the infrastructure that enables them to sell their hosting services to clients:
- Developing a privately-owned, in-house/custom data center;
- Leasing out commercial infrastructure for an extended period of time, or;
- Compromising assets belonging to a different set of providers, typically for activities for a shorter period of time, such as the distribution of spam.
As to the third category and how criminals typically go about compromising exposed assets or servers, actors often use a combination of techniques and purchase direct access to server assets from the same underground sources they may advertise on subsequently. Advertisements for exploits that enable actors to compromise and eventually use exposed servers for hosting purposes have been observed throughout 2020 as well, albeit to a much lesser extent than advertisements for hosting services that are already available to purchase.
Hosting services are fundamental for most, if not all, of the cybercriminal operations reported on throughout 2020 as part of Recorded Future’s automation and commoditization series studying the economy of the criminal underground. Hosting providers sell cybercriminals the means that enable them to covertly host the many forums or marketplaces that make up this underground economy in a stable and efficient manner with minimal disruption.
Since the beginning of 2020, Recorded Future has observed a consistent volume of references to actors within underground sources seeking recommendations for a new bulletproof hosting service, though analysts did observe that this was more of a tendency for actors on entry-level, English-language forums. It is likely that actors operating within high-tier forums that traditionally post content in other languages, particularly Russian, are less likely to openly recommend the hosting services they use unless incentivized, given the unnecessary risk or attention it may bring to the services they use in the long term.
Forums often devote entire sections specifically to the sale of these services or for buying compromised assets. The majority of bulletproof hosting providers indexed within the Recorded Future platform advertise on the high-tier Russian language criminal forum Exploit. The advertisements referenced in the visual below represent a sample of approximately 7,000 references to different hosting providers who have advertised on dark web and underground forums since the beginning of 2020. The market remains saturated with multiple brands, with some of the most frequently referenced services indexed within the Recorded Future platform detailed in the next section. However, this market can be differentiated between top-tier providers and low-tier ones, who mostly sell compromised RDP or SSH accesses with no guarantee that the access will last.
Threat actors know that these services are offered in jurisdictions outside the purview of many law enforcement agencies, relying on a model that promises not to comply with legal requests that would either disrupt their operations or result in arrests. Some countries offer a middle-ground option as well, allowing administrators of these potential services to establish legitimate businesses within the country in question and only requiring routine check-ins or disclosures of business operations to government officials. Criminal forums, Jabber servers, banking trojans, and other criminal operations could not exist without hosting, and individuals who use these services could not use them securely without some sort of network anonymity.
Bulletproof hosting via these underground advertisements serves a variety of purposes. Prominent examples of these services include the following:
- Ransomware blogs
- Malware C2s
- Child exploitation content (most of the top-tier services refuse to host such material)
- Shops selling personally identifiable information (PII)
- Dark web forums and marketplaces
- Chat services
- Brute-force attack tools
- Botnet infrastructure
- Exploit kits
- Spamming services
Section III. Key BPHS Features
The following section details several features that many modern bulletproof hosting services commonly advertise and consider staples for a reliable BPHS capable of supporting long-term criminal activity. The following features are often designed to reliably achieve a variety of goals. This typically includes features that either obfuscate the buyers’ information or infrastructure from law enforcement entities or ensure that the service continues to operate even in the event that a portion of the infrastructure is disrupted or seized.
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. Fast-flux hosting services continue to hinder takedown efforts against nefarious storage services related to malware storage or underground marketplaces, allowing infrastructure like C2 domains to be constantly cycled through an ever-changing series of IP addresses. Fast flux-backed services are traditionally more expensive than those that do not offer the feature, and they support threat actors across a variety of use cases, such as serving exploit kits. Members of high-tier Russian-language forums, such as Exploit[.]in, have consistently continued to advertise fast-flux hosting services over VPN configurations, and servers located in every corner of the globe continue to remain a vital commodity within underground communities. Providers of fast flux-based infrastructure also regularly rely upon a number of cloud services to procure their infrastructure, including common services such as Microsoft Azure and Google Cloud.
Border Gateway Protocol
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the internet. BGP route hijacking is an attack vector that temporarily spreads incorrect routing information as a way of intercepting network traffic in transit. Such attacks pose a risk to the ability of a network service provider to guarantee the safe delivery of content and data.
BGP targeting has positioned ISPs, or any hosting provider, as a target for both fraudsters and espionage operators. Most BGP routing incidents occur due to operator error, with any instance of BGP misrouting likely to have consequences for the traffic attempting to reach the victim AS. The misrouting can effectively “blackhole” traffic, or prevent a group of users from reaching a particular service. This is detrimental in the case of underground bulletproof providers offering a service to their customers whose financial success is contingent on maintaining operations. If the traffic is not blackholed by the offending AS, it may be intercepted and read, in a very noisy, but effective, surveillance operation. This could theoretically provide security or law enforcement professional’s insight into the ownership of a particular criminal BPHS. Short-term leases of hosting resources from hosting providers remain common, with the providers reselling said resources from providers they consider to be suitable for their business purposes.
Privacy and Anonymity
Customer privacy, particularly the ability to submit anonymous payments, remains another critical feature criminals expect from any bulletproof hosting provider that claims to provide reliable services for illegal activity. Other unique service offerings within the criminal underground can provide a strong degree of privacy or anonymity support to a particular bulletproof hosting provider, including advertisements tied to the sale of SOCKS proxies or paid censorship bypassing services. Cryptocurrencies continue to be a major form of payment to hosting or DNS service providers including those who do not advertise their services as “bulletproof.” The adoption of cryptocurrencies by hosting providers includes legitimate providers that offer their services to journalists or whistleblowers attempting to protect their identities. While Bitcoin remains the predominant cryptocurrency used to pay for criminal bulletproof hosting services, Recorded Future has observed advertisements accepting other forms of the digital currency including Ethereum and Monero among other currencies.
In addition to the anonymization of payments submitted to the providers, another layer of privacy highly desired by aspiring criminals within the underground when selecting a bulletproof hosting service is its capability to anonymize traffic. Many threat actors use either a VPN, VPS, or a bulletproof hosting provider to not only obfuscate their geographical location but also change originating IPs as needed. Custom services that rely on a combination of network connections distributed around the globe with other anonymized platforms such as Tor are highly desired for their ability to hinder efforts by law enforcement investigators. The speed of connection can be another factor in driving the price of a particular bulletproof hosting service and is likely to be highly desired by actors conducting other specific forms of threat activity reliant on a faster connection such as a brute-force attack. In some cases, the need for anonymity has to be counterbalanced with the need for speed as infrastructure in some of the safer regions may not be up to the level needed for operations.
Custom Data Centers
Not every hosting provider manages data centers that they are in direct control or ownership of, opting instead to act as resellers of systems leased from other internet service providers or hosting services. Custom infrastructure developed in-house by criminal providers is likely to continue to be more popular in countries where hosting certain criminal content is not a priority for law enforcement entities. In-house servers or data centers are distinct from other infrastructure that may be owned by another entity but were compromised by criminal actors to use within a bulletproof hosting service they offer. Custom data centers typically refer to servers or systems located on the privately owned property of individual actors offering to sell services administered through these systems to criminal entities. This setup can range from a rack of servers in a home to a private military bunker, as demonstrated by admins affiliated with the dark web marketplace Wall Street Market who were arrested in 2019.
Resistant to Law Enforcement or Abuse Requests
Bulletproof hosting providers are presented with a number of options when confronted with allegations of abusive behavior at one of their IP addresses. The options typically include either ignoring the request altogether or providing early notification to customers so they have time to alter their operations and avoid downtime. A key process of avoiding legal ramifications is creating a process that drags out the complaint procedure to the point where the request is often abandoned by the third party. It is in the face of such requests that the more credible bulletproof hosting providers are ultimately tested on many of their claims to be resistant to the efforts of law enforcement and capable of ensuring abuse requests are unable to result in prolonged periods of downtime. One critical aspect that can differentiate which providers are truly immune to such requests is those who have a strong understanding or working legal relationship with legitimate hosting providers in the countries related to the origin of the abuse request. Bulletproof hosting providers have historically evaded prosecution or jail time as a direct result of a working relationship with a combination of personnel within government or law enforcement agencies directly responsible for investigating their crimes. In attempts to avoid this scenario, some bulletproof hosting providers will refuse to allow the sale or promotion of certain services if they know it to be a priority for law enforcement investigators within a particular country. For example, investigative reports detailed by Trend Micro mention that Yalishanda was likely operating their infrastructure out of China, a country more tolerant of certain spamming operations than political content or satire directed at domestic officials.
Section IV. Outlook and Mitigation Strategies
There has been, and is likely to continue to be, a trend of ransomware operators purchasing already compromised network access from cybercriminals. Cybercriminals are likely to continue purchasing already compromised network access and reselling them via dark web/underground sources to supplement BPHS operations. Common cases for using bulletproof hosting services are likely to continue to include the hosting of command and control infrastructure, the distribution of phishing or spam messaging, and the hosting of other online fraud activities. As noted previously, ransomware operators affiliated with the Dharma and Phobos strains of malware that operate around a RaaS service model have already been observed using the volhav provider in 2020.
Bulletproof hosting services will often advertise the capability to migrate infrastructure as a key component of their service, enabling interested parties to choose and register their own subnet of IP addresses. Though full mitigation of malicious services hosted within countries more inclined to allow criminal actors to conduct their underground business is virtually impossible without the intervention of regulatory or law enforcement agencies, the Recorded Future Platform can assist in the monitoring of malicious service providers likely disseminating data linked to these businesses (regardless of whether the traffic is unintentional). The crux of this monitoring is often contingent on entire network allocations and the high volumes of malicious services they become affiliated with becoming unilaterally blocklisted. Recorded Future recognizes that this is not always a viable option, particularly as criminal actors have grown reliant on renting rather than owning this hosting infrastructure.