A VPS can be used as an encrypted proxy by threat actors.[^1] VPS servers are used as a proxy to obscure the true location of a threat actor.[^2] They are used as hop-points to connect to cybercriminal infrastructure.[^2] Threat actors can use obfuscation techniques, and dynamic URLs to evade detection.[^3] VPS servers can be used to host criminal infrastructure.[^4] This may include phishing pages, or botnet control panels.[^4] They can also help the attackers mask their IP address, and allows them to get a “clean” trustworthy IP address from anywhere in the world[^4] Legitimate servers and their free trials are abused to host malicious content.[^4] Threat actors only host the minimum data necessary to reach the victim.[^4] VPS can also host proxies and VPN gateways to mask the location of C2 servers.[^4] Threat actors have been known to use Bitcoin to purchase VPS servers. They use them for an extended period of time as long as they believe that they are not being tacked. Making more procurement transatctions make the threat actor more vulnerable to identification.
[[Zhou Shuai]] – had a VPS server seized
[[SVR Password Spraying]] – used a Leased VSP after the first account was cracked
[[GHOSTnet GmbH]] – provides VPS hosting services
[[Unit 29155]] – used VPS to host their operational tools and perform cyber operations.
[[Grandoreiro Banking Trojan]] – exploited vulnerabilities in VPS hosting providers
[[Contabo]] – VPS provider
[[Bulletproof Web Hosting]] – can be hosted on VPS
[[CrazyRDP]] – type of VPS
[[Seashell Blizzard]] – uses tunneling tools to threat actor controlled VPS servers
[[ORB Networks]] – include VPS
[[ORB3 (SPACEHOP)]] – registers VPS devices with commercial ASN
[[Device Code Authentication Phishing]] – attacks came from VPS and Tor
[[ORB2 (FLORAHOX)]] – combined provisioned VPS with non-provisioned victim nodes
[[iptables]] – iptables and ip6tables can be used to secure a vps machine
[[Threat Actor]] – VPS services can allow threat actors to mask their location from their victims
[[UNC6293]] – used VPS and residential proxies to log into the victim accounts
[[Red Teaming]] – use a unique domain in front of your short-haul and long-haul servers to mask the externally-routed traffic
[[CIA HIVE Attack Kit]] – VPS is sourced from commercial providers
[[Kimsuky]] – used VPS for spear-phishing attacks
Backlinks
[[Abandoned and Expired Infrastructure]]
[[Bitcoin]]
[[Botnet]]
[[C2 Servers]]
IP Addresses
[[Phishing]]
[[Threat Actor]]
[[URL]]
Sources
[1] “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology,” IC3, AA22-047A, Feb. 2022. [Online]. Available: https://www.ic3.gov/CSA/2022/220217.pdf
[2]talosintelligence_de-anonymizingRansomware
[3]cyberpress_vpsHostingThreatActors
[4]cyfirma_vpsExploitation