A Small VPS Provider Registered in the United Arab Emirates Has Been Providing Services to Pawn Storm Attackers and Other Cybercriminal Operations
The servers of a small web hosting provider have been used in a series of targeted attacks by persistent threats (APT) since early 2015, Trend Micro researchers have discovered.
The small Virtual Private Server (VPS) hosting company is formally registered in Dubai, United Arab Emirates (UAE), but it has servers in the Netherlands and Romania. Over the past 12 months, the company’s servers were used in more than 100 “serious” cyber-attacks, Feike Hacquebord, Senior Threat Researcher, Trend Micro, says.
According the security firm, the Pawn Storm group has abused the small hosting provider’s servers for at least 80 high profile attacks against governments of countries like Bulgaria, Greece, Malaysia, Montenegro, Poland, Qatar, Romania, Saudi Arabia, Turkey, Ukraine, United States, and UAE. The Pawn Storm group was also observed using the VPS hosting provider for C&C servers, exploit sites, spear-phishing campaigns, domestic espionage in Russia, and free Webmail phishing sites targeting high profile users.
What’s more, the VPS provider is also used by threat actors like DustySky (also known as the Gaza hackers, targeting Israel, other Middle Eastern countries, and companies who do business in Israel and Egypt) to host their command-and-control (C&C) servers and to send spear phishing e-mails. The provider has been engaged into other cybercrime as well, including the hosting of a C&C server of the infamous Carbanak banking malware in 2014.
Furthermore, last year, the provider “invited” spammers to come to its services by publicly saying on a shady webforum that “sending campaigns of email marketing” is allowed. What’s more, researcher say that it also had the notorious bulletproof hosting provider Maxided as a customer and that, for the past several months, border gateway protocol (BGP) routing tricks were employed to hide that Maxided was routing IP addresses via its servers.
Other malicious activities associated with the provider include announcing small IP ranges (CIDRs) assigned to Russia or Chile for a short period of time, with researchers observing bursts of e-crime like phishing sites and C&C servers hosted during these intervals. This happened more than once and the IP ranges were removed from the routing table as soon as the complaints stated appearing or when the attack campaigns were finished.
What’s also interesting about the web hosting provider, is that it serves a mix of customers, including a series of legitimate ones. This year, the cybercrime spam problem was diminished, but the company’s servers are still associated with a high number of APT attacks.
The identity of the owner of the VPS company is yet unclear, albeit a name is used in the public RIPE whois database. The LinkedIn page of the company’s director has only two connections, and shows no working history. However, researchers tracked other people working for the company to the Philippines, Egypt, and Palestine, which suggests that the VPS provider might be using a virtual team of employees who work remotely.
One of the main reasons the small VPS provider in Amsterdam appears to be preferred by cybercriminals and APT actors is the good Internet connectivity in the Netherlands. Moreover, researchers suggest that the Dutch web hosting industry might be vulnerable to off shore constructions that offer enhanced anonymity to cybercrime and cyber espionage.