Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attacker Friendly Hosting Firm Leveraged by Pawn Storm Hackers

A Small VPS Provider Registered in the United Arab Emirates Has Been Providing Services to Pawn Storm Attackers and Other Cybercriminal Operations

A Small VPS Provider Registered in the United Arab Emirates Has Been Providing Services to Pawn Storm Attackers and Other Cybercriminal Operations

The servers of a small web hosting provider have been used in a series of targeted attacks by persistent threats (APT) since early 2015, Trend Micro researchers have discovered.

The small Virtual Private Server (VPS) hosting company is formally registered in Dubai, United Arab Emirates (UAE), but it has servers in the Netherlands and Romania. Over the past 12 months, the company’s servers were used in more than 100 “serious” cyber-attacks, Feike Hacquebord, Senior Threat Researcher, Trend Micro, says.

According the security firm, the Pawn Storm group has abused the small hosting provider’s servers for at least 80 high profile attacks against governments of countries like Bulgaria, Greece, Malaysia, Montenegro, Poland, Qatar, Romania, Saudi Arabia, Turkey, Ukraine, United States, and UAE.  The Pawn Storm group was also observed using the VPS hosting provider for C&C servers, exploit sites, spear-phishing campaigns, domestic espionage in Russia, and free Webmail phishing sites targeting high profile users.

Bullet Proof Hosting Provider

What’s more, the VPS provider is also used by threat actors like DustySky (also known as the Gaza hackers, targeting Israel, other Middle Eastern countries, and companies who do business in Israel and Egypt) to host their command-and-control (C&C) servers and to send spear phishing e-mails. The provider has been engaged into other cybercrime as well, including the hosting of a C&C server of the infamous Carbanak banking malware in 2014.

Furthermore, last year, the provider “invited” spammers to come to its services by publicly saying on a shady webforum that “sending campaigns of email marketing” is allowed. What’s more, researcher say that it also had the notorious bulletproof hosting provider Maxided as a customer and that, for the past several months, border gateway protocol (BGP) routing tricks were employed to hide that Maxided was routing IP addresses via its servers.

Other malicious activities associated with the provider include announcing small IP ranges (CIDRs) assigned to Russia or Chile for a short period of time, with researchers observing bursts of e-crime like phishing sites and C&C servers hosted during these intervals. This happened more than once and the IP ranges were removed from the routing table as soon as the complaints stated appearing or when the attack campaigns were finished. 

What’s also interesting about the web hosting provider, is that it serves a mix of customers, including a series of legitimate ones. This year, the cybercrime spam problem was diminished, but the company’s servers are still associated with a high number of APT attacks.

Advertisement. Scroll to continue reading.

The identity of the owner of the VPS company is yet unclear, albeit a name is used in the public RIPE whois database. The LinkedIn page of the company’s director has only two connections, and shows no working history. However, researchers tracked other people working for the company to the Philippines, Egypt, and Palestine, which suggests that the VPS provider might be using a virtual team of employees who work remotely.

One of the main reasons the small VPS provider in Amsterdam appears to be preferred by cybercriminals and APT actors is the good Internet connectivity in the Netherlands. Moreover, researchers suggest that the Dutch web hosting industry might be vulnerable to off shore constructions that offer enhanced anonymity to cybercrime and cyber espionage.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.