The Russian bulletproof hosting provider Proton66 was observed conducting malware campaigns that compromised WordPress sites and then leveraged them to target Android devices.Starting on Jan. 8, Proton66 was observed by TrustWave’s SpiderLabs increasing its activities around mass scanning, credential brute forcing and exploitation attempts.TrustWave researchers developed a two-part blog around these activities.Part 1 looked at ransomware exploits conducted by SuperBlack ransomware-associated threat actors such as Mora_001, while part 2 focused on the WordPress exploits and an XWorm campaign that targeted Korean-speaking chat rooms.Security experts said that teams need to disable sources of bulletproof hosting because they tend to run malicious services by cybercriminals. Bulletproof hosting refers to internet hosting services designed to resist requests from law enforcement and other authorities to remove illegal or harmful content.“The crux of this is that most enterprises should be blocking sources of bulletproof hosting due to the risks associated with the maliciousness of their services,” said Lawrence Pingree, vice president at Dispersive. “None of this is surprising or new, it’s always been critical to filter sources and jurisdictions that lack proper enforcement online.”Pingree explained that bulletproof hosting providers tend to offer their services with no policies regarding customer monitoring, liability and hosting in countries that often have a more neutral stance on law enforcement, or have a “don’t ask, don’t tell” style policy on hosting. Patrick Tiquet, vice president, security and architecture at Keeper Security, said the broad range and intensity of cyberattacks carried out by Proton66 demonstrates why organizations need layered cybersecurity defenses. Tiquet said the activities stemming from Proton66 include vulnerability scanning, credential brute forcing, exploit attempts, and phishing campaigns that mimic reputable WordPress sites, Google Play Store app listings, and popular chat rooms.“Security and IT teams should view these threats as a stark reminder of the many methods by which attackers can target their organizations,” said Tiquet. “All organizations should take a proactive approach to regularly update all software and immediately patch vulnerabilities that are being actively exploited in the wild.”Trey Ford, chief information security officer at Bugcrowd, added that the account brute forcing reminds us of the importance of maintaining velocity checks monitoring attempted login activity from singular IP addresses, net blocks, and even user-agent strings.“CAPTCHA tools vary in capability, so ultimately, we should aim to drive-up the cost and complexity of attacker activity beyond the reach of lazy attack patterns like those being flagged here,” said Ford.
