Subj : Russian bulletproof hosti
To   : All
From : Mike Powell
Date : Mon Apr 21 2025 07:44 am

Russian bulletproof hosting system targeted by hackers to spread malware

Date:
Mon, 21 Apr 2025 11:01:00 +0000

Description:
Cybercriminals are using Proton66 for a range of activities, researchers say.

FULL STORY

Proton66, a Russian bulletproof hosting service provider, is being used to
spread malware, ransomware , mount phishing attacks, and more, experts have
warned.

Researchers from Trustwave warned the malicious activity has picked up in
recent weeks, stating how, Starting from January 8, 2025, SpiderLabs observed
an increase in mass scanning, credential brute forcing, and exploitation
attempts originating from Proton66 ASN targeting organizations worldwide.

Although malicious activity was seen in the past, the spike and sudden
decline observed later in February 2025 were notable, and offending IP
addresses were investigated.

Whoever is behind these activities is looking to exploit a number of
vulnerabilities, including an authentication bypass flaw in Palo Alto
Networks PAN-OS (CVE-2025-0108(, an insufficient input validation flaw in the
NuPoint Unified Messaging (NPM) component of Mitel MiCollab (CVE-2024-41713),
a command injection vulnerability in D-LINKs NAS (CVE-2024-10914), and an
authentication bypass in Fortinets FortiOS (CVE-2024-55591 and
CVE-2025-24472).

The two FortiOS flaws were previously exploited by the initial access broker
Mora_001, which has also been seen dropping a new ransomware variant called
SuperBlack.

The same publication also said that several malware families hosted their C2
servers on Proton66, including GootLoader and SpyNote.

Furthermore, Trustwave said XWorm, StrelaStealer, and a ransomware named
WeaXor were all being distributed through Proton66.

Finally, crooks are allegedly using compromised WordPress sites related to a
Proton66-linked IP address to redirect Android users to phishing pages that
spoof Google Play app listings and try to trick users into downloading
malware.

To mitigate the risk against Proton66-linked threats, users should block all
the Classless Inter-Domain Routing (CIDR) rangers associated with the company
and Chang Way Technologies. The latter is a Hong Kong-based provider that is
likely related to Proton66.

So-called bulletproof hosting is a type of hosting service that is advertised
as being immune to takedowns and legal action, but there have been examples
in the past when bulletproof hosting ends up yielding in the end.

At this time, the fact that Proton66 is a Russian service probably makes it
somewhat bulletproof for Western users. However, politics change as the wind,
and what Russia protected yesterday could be traded tomorrow.

Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/russian-bulletproof-hosting-system-targ
eted-by-hackers-to-spread-malware

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.