VPS servers hijacked into malware proxies – here’s how to stay safe
- Systembc Botnet diverts VPS servers, representing 80% of its active proxy nodes
- Infected VPS Machines Relay traffic for phishing, brute and ransomware operations
- Boots generate high volume traffic daily, often active for weeks despite the blacklist
Cybercriminals are increasingly diverting virtual private servers (VP) to build high -volume malware proxy networks, experts warned.
Cybersecurity researchers from Lumen Technologies Black Lotus have recently detailed the works of the Botnet Syxtembc, active since early 2019, which discreetly amassed more than 80 command and control servers, and maintains an average of 1,500 active robots per day.
What distinguishes this botnet is the fact that almost 80% of compromise systems are virtual private servers (VP).
Cybercrime infrastructure
Usually, a botnet was based on residential devices (computers, routers, intelligent home devices, DVR, cameras and similar), but Systembc adopts a different approach and operates servers with dozens, sometimes hundreds of unread vulnerabilities.
“Although we could not determine the initial access vector used by system operators, our research has revealed that in average, each victim shows 20 not corrected cve and at least a critical cve – with an address indicated as having more than 160 uncharted vulnerabilities,” explained the researchers.
These infected VPS machines are reused as a proxy relay, allowing threat actors to complete huge volumes of malicious traffic for phishing, brute force attacks and ransomware operations, among others.
To worsen things, many of these compromise servers remain active for weeks and 40% remain infected for more than a month.
There are many advantages to target VPS infrastructure instead of residential termination criteria, explains below. VPS ‘offers a higher bandwidth, a long lifespan of infection and a minimum disturbance for end users. This allows proxy criminal services, such as the proxy REM, or VN5SOCKS, to market these robots to other threat groups, including ransomware operators such as Avoslocker or Morpheus.
Another thing that means that Systembc stands out is the total contempt for the stealth of its operators. The bots regularly generate traffic gigabytes per day and are quickly reported and put on black. However, they continue to operate in the context of tentacular proxy networks.
Lumen responded by blocking all traffic to and since the infrastructure linked to Systembc through his world backbone and has published compromise indicators to help defenders, who can be found on this link.
Via Bleeping Compompute
You might also love
