Each cyber group has its own specific set of requirements for network infrastructure. Someone needs temporary servers for brute-force passwords, network scanning or phishing emails, others need bulletproof hosting hidden behind a chain of reverse proxies. However, all the diversity boils down to several typical scenarios:
- hosting sites with illegal or questionable content,
- management infrastructure hosting,
- hosting service applications and components,
- hosting anonymizers, forward and reverse proxies,
- dedicated servers for scanning and brute force attacks,
- platforms for phishing and spamming.
Thus, the criminal network infrastructure generally consists of the following areas:
- special hosting services,
- hosting based on compromised servers,
- confidentiality and anonymity services,
- DNS services.
Let's take a closer look at these components and start with dedicated hosting services.
Bulletproof hosting
Any illegal activity sooner or later leads to the fact that the resources associated with it become the object of attention of law enforcement agencies. And then the IP addresses of these resources are blocked, the servers are seized, and the domains are partitioned. This situation leads to the disruption of cyber attacks and the need to spend on organizing new infrastructure. To avoid such a situation, illegal structures resort to services that are immune to police requests.
For example, the legislation of Belize and Seychelles allows companies that provide such hosting services to ignore all requests from law enforcement agencies regarding resources hosted at their facilities. As a result, many bulletproof hosting sites are hosted there.
Another example is placing a criminal hosting in a private house. It was such an illegal data center, which contained more than 100 servers, that the Ukrainian police recently discovered and eliminated.
Fast-flux services
Fast-flux is a completely legal technology that is used to provide increased service availability and load balancing by constantly switching domain name resolution to a pool of IP addresses. This approach allows criminals to achieve increased resistance to hacking and interceptions, allowing them to hide the location of their server. A pool of IP addresses is often used to chain reverse proxies and can be provided by several resources: rented cloud VPS, botnet hosts, or compromised machines.
How fast-flux works as an intermediate layer service. Source (hereinafter, unless otherwise noted): Trend Micro
The essence of the fast-flux method is to use short TTL (time-to-live) for DNS A records. This prevents staging DNS servers from caching the domain name and forces them to always request permission from the advertised Domain Name System (DNS) servers. Low TTL values ββallow attackers to direct the domain to IP addresses in a dedicated pool with high frequency and ensure service availability even if some of the addresses are compromised or banned by the ISP.
Fast-flux specific DNS records
TTL values ββshown in red are set with unusually low retries and minimum TTL time (in seconds). Under normal circumstances this would put additional load on the DNS server, but in the case of fast-flux, the goal is to suppress the caching mechanism so that the client is presented with a valid IP address, which is currently provided by the fast-flux infrastructure.
Fast-flux services tend to be more expensive than bulletproof hosting because their operator has to maintain a pool of IP addresses to provide a βfast flowβ infrastructure, and this requires additional costs.
Fast-flux services cost $ 100 for two domains per month, while monthly bulletproof server rent is $ 10.
DDoS protection
Cybercriminal groups compete with each other no less than legal organizations, and as a means of competition they arrange attacks on denial of service to the resources of competitors using Layer4 and Layer7 methods. That is why many bulletproof services offer hosting with DDoS protection or a DDoS protection service that you can use for your resource.
Typically, such services are provided by placing a specialized resource in front of the protected server, such as a WAF (Web Application Firewall).
VDS from compromised hosts
Compromised servers are often used for hosting during one or more stages of their criminal monetization lifecycle.
To capture control are used:
- vulnerabilities in server software,
- bruteforce attacks,
- stolen API keys,
- stealing accounts through connected servers,
- phishing and fraudulent campaigns.
Password guessing is usually used in attacks against SSH, VNC and RDP services.
Credentials for accessing the hijacked servers are subsequently sold on underground online stores:
Accounts online store for accessing compromised RDP servers. Taking
over more secure servers may require zero-day vulnerabilities, which are also offered on cyber forums.
Announcement of the sale of a vulnerability in OpenSMTPD, which allows you to compromise servers running FreeBSD, NetBSD, Debian, Fedora and Alpine Linux and use them for hosting
Compromising cloud hosting
From the attacker's point of view, Google Cloud and Microsoft Azure are extremely accessible resources, since both allow users with a bank card connected to their account to try the services for free. This has led to cybercriminals actively collecting data from Google accounts with connected bank cards and then using it to launch instances of dedicated servers. For novice hackers, detailed tutorials are published:
A Guide to Opening Google Cloud Hosting from a Compromised Google Account
For those who do not want to bother hacking their accounts, there are stores offering already hacked Microsoft Azure and Google Cloud accounts.
Socks, Proxy and SSH Tunnels
SOCKS and proxy services allow attackers to hide without attracting too much attention or triggering detection through network security monitoring tools.
In view of the demand for this tool, it is relatively easy to find resources offering to purchase SOCKS proxies, and you can pay for the purchase with cryptocurrency.
Price list for SOCKS proxies that can be paid for using Bitcoin and Ethereum
Another way to hide communication is tunneling into legitimate protocols, for example, SSH:
Price list for SSH tunnels
The cost of SSH tunnels depends on the country of location. Location is very important for some illegal activities. For example, banks' anti-fraud systems correlate information about the cardholder with the geolocation of the IP address at which an attempt was made to use it. Therefore, criminals are willing to pay more to buy a tunnel that matches not only the desired country, but also the city.
Anonymizing VPN
Another service that is in demand in the cybercriminal environment is anonymous VPN, and in this part the preferences of the groups are divided: some prefer to use legal commercial VPNs like NordVPN or ProtonVPN, others rent similar services in the underground market, and others independently create an infrastructure based on OpenVPN, WireGuard or SoftEther ...
One of the signs that indirectly indicate that compromised hosts are used to provide VPN services is the indication of the "availability guarantee period" of the service. The lower the number, the more suspicious these services are. It is unlikely that a legitimate VPN provider will write in the terms that "If the provided credentials do not work within the next 24 (48 or 72) hours, the new credentials will be provided free of charge." But this is exactly what is usually present in the offers of illegal services.
Short Live VPN Selling Announcement
Another suspicious sign of a possible criminal nature of the anonymization of services is the term of the contract. Legal VPN providers provide services for at least a month, while in the criminal environment, there are VPN services for a period of no more than one day. It is difficult to imagine cases of legal use for which such a short time is enough. However, for criminals, this is quite enough to
- check the validity of compromised bank cards,
- check the validity of compromised accounts,
- register accounts on cloud platforms or content hosting platform,
- make a fraudulent mailing on social networks,
- launch a malicious ad campaign.
Infrastructure offerings of shadow cyber business are not limited to relatively standard services. Studying the ads, you can find quite interesting services that are still in demand by niche clients, or are gaining popularity trends.
Mobile workplaces
Some vendors offer bullet-proof mobile workstations to those wishing to be protected from outsiders.
And although this site's policy prohibits the spread of malware formally, we found advertisements on the forum
suggesting that other malicious actions are acceptable: The proposal mentions complete anonymity, inability to locate the user, high-speed Internet connection, DDoS protection, outbound traffic mixer and five various VPNs. Despite the fact that direct port scanning, brute-force and malware distribution are not allowed, an attacker can perform other criminal actions using such AWPs.
Anonymizing traffic mixers
Tor isn't the only way to hide from the watchful eye of law enforcement and competitors. Services offering robust workspaces have developed their own traffic mixers using a geographically dispersed network of routers. This traffic mixes with the traffic of anonymous VPSs that periodically move between data centers located in different countries, making it even more difficult to trace such systems.
Custom services are also available to bundle VPN connections, Tor and geographically dispersed sets of routers. These combinations create such a complex chain of hosts and redirectors that it is almost impossible to trace.
Traffic obfuscation chain offer
For example, one of the services offers to use the following chain:
Host β VPN1 β VPN2 β TOR β gateway for bouncing traffic β traffic mixer β geographically distributed routers for bouncing traffic β remote desktop (RDP) for work β connecting via other geographically distributed routers β Tor servers β output node β destination.
conclusions
Our research has shown that the cybercriminal infrastructure is significantly more advanced than many researchers assumed. We believe that this particular component is one of the most mature aspects of the criminal business. Network worms are giving way to Trojans, browser exploits to targeted phishing attacks, and outright extortion is replacing the business model of information theft. However, the infrastructure on which all these actions are based remains in demand and is constantly evolving, offering new technically sophisticated services.
Cybercriminals need a reliable service that allows them to act while hiding from law enforcement agencies as long as possible. This demand has spawned an entire industry of semi-legal services that cater to cybercriminals while indirectly helping criminals. The problem is that providing reliable, untraceable hosting services is not illegal in and of itself. Solving this problem is a very important piece of the puzzle for those who are fighting cybercrime as a global problem.