‘Bulletproof’ Hosting Enables Cyber Attackers

bulletproof glass with bullet marks
By Justin Silbert

3 minutes

Four possible strategies for fighting back

Editor's note: October is National Cybersecurity Awareness Month.

Bulletproof hosting is a major problem and another indication of the growth and maturity of the criminal enterprise. Law enforcement has a challenging task in finding and arresting bad actors who are attacking organizations. So, law enforcement does the next best thing, which is taking down the websites and infrastructure of the attackers. 

In recent years, law enforcement has been moderately successful in this pursuit by holding the cloud infrastructure providers—such as Amazon, Google, and Microsoft—accountable for allowing the bad actors to operate.  

However, bulletproof hosting providers are explicitly offering services to protect the bad actors from law enforcement activities, essentially condoning the malicious attacks. Bulletproof hosting providers will not work with law enforcement.

According to a recent report from Cequence, “Bulletproof Proxies: The Evolving Cybercriminal Infrastructure,” “bulletproof proxies are the natural evolution of criminal infrastructure to match modern trends in both cybercriminal attacks and legitimate use of the internet. With the explosion of the app ecosystem and an internet where one seems to ‘have an account for everything,’ cybercriminals can live off this new land, with new kinds of attacks (some of which are not even strictly illegal), supported by a different kind of criminal infrastructure that matches their demands of scale and the ability to blend in with legitimate users of a service.”

Sadly, the threat of malicious attacks continues to grow as the maturity of the tools and infrastructure grows. Because of this, we are also seeing a steady decrease in barriers to entry for those who are starting their careers as bad actors. 

The Cequence study found that attacks emanating from bulletproof proxy networks targeting Cequence financial services and retail customer environments increased 518% and 800% respectively between Q1-Q2 2019 and that more than 70% of the attack traffic across these networks targeted mobile endpoints.

In addition, the study cited several strategies to try to identify these problematic IPs, including: 

  • Changes in behavior and traffic distributions that deviate substantially from the norm. Understanding and profiling good traffic is the best place to start to find these anomalies, and then use the anomalies to identify the proxy networks 
  • Active use of services. Shodan—a search engine for Internet-connected devices—and Greynoise—which collects, labels, and analyzes Internet-wide scan and attack data—offer some intelligence about the device(s) behind an IP, and indicate if it could susceptible. 
  • Increase consumer awareness. For example, TrendMicro did a great service by identifying HolaVPN as the source for the Luminati network. Consumers need to be educated to not join the peer-to-peer VPN networks unwittingly, and to be very cautious about browser plugins. At the end of the day, the fewer consumers that become unwitting exit nodes in these proxy networks, the smaller the networks will be. 
  • Support those working to expose providers that turn a blind eye to abuse on their networks. 

To assist law enforcement and other industry groups to combat the threats, credit unions and other small businesses also should report any attacks, successful or otherwise, to the appropriate authority. It is important that we share information, so that attack trends can be identified and mitigated. 

Justin Silbert, GCIH, GCFE, CISSP, is chief information security officer for CUES strategic provider for cybersecurity services, LEO Cyber Security

CUES Learning Portal

Subscribe to Skybox

Get two to four blogs delivered via email each week!