One of probably the most infamous suppliers of abuse-friendly “bulletproof” internet hosting for cybercriminals has began routing its operations via networks run by the Russian antivirus and safety agency Kaspersky Lab, KrebsOnSecurity has realized.
Security consultants say the Russia-based service supplier Prospero OOO (the triple O is the Russian model of “LLC”) has lengthy been a persistent supply of malicious software program, botnet controllers, and a torrent of phishing web sites. Last yr, the French safety agency Intrinsec detailed Prospero’s connections to bulletproof providers marketed on Russian cybercrime boards below the names Securehost and BEARHOST.
The bulletproof internet hosting supplier BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com.
Bulletproof hosts are so named after they earn or domesticate a fame for ignoring authorized calls for and abuse complaints. And BEARHOST has been cultivating its fame since at the very least 2019.
“If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s advert on one discussion board advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”
Intrinsec discovered Prospero has courted a few of Russia’s nastiest cybercrime teams, internet hosting management servers for a number of ransomware gangs over the previous two years. Intrinsec mentioned its evaluation confirmed Prospero often hosts malware operations resembling SocGholish and GootLoader, that are unfold primarily by way of faux browser updates on hacked web sites and infrequently lay the groundwork for extra critical cyber intrusions — together with ransomware.
A faux browser replace web page pushing cellular malware. Image: Intrinsec.
BEARHOST prides itself on the flexibility to evade blocking by Spamhaus, a corporation that many Internet service suppliers world wide depend on to assist determine and block sources of malware and spam. Earlier this week, Spamhaus mentioned it seen that Prospero was all of a sudden connecting to the Internet by routing via networks operated by Kaspersky Lab in Moscow.
Update, March 1, 9:43 a.m. ET: In a written assertion, Kaspersky mentioned it’s conscious of the general public declare in regards to the firm allegedly offering providers to a “bulletproof” internet hosting supplier. Here is their full assertion:
“Kaspersky denies these claims as the company does not work and has never worked with the service provider in question. The routing through networks operated by Kaspersky doesn’t by default mean provision of the company’s services, as Kaspersky’s automatic system (AS) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services.”
“Kaspersky pays great attention to conducting business ethically and ensuring that its solutions are used for their original purpose of providing cybersecurity protection. The company is currently investigating the situation to inform the company whose network could have served as a transit for a “bulletproof” internet hosting supplier in order that the previous takes the mandatory measures.”
Kaspersky started promoting antivirus and safety software program within the United States in 2005, and the corporate’s malware researchers have earned accolades from the safety group for a lot of essential discoveries over time. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal businesses from utilizing Kaspersky software program, mandating its removing inside 90 days.
Cybersecurity reporter Kim Zetter notes that DHS didn’t cite any particular justification for its ban in 2017, however media stories quoting nameless authorities officers referenced two incidents. Zetter wrote:
According to 1 story, an NSA contractor creating offensive hacking instruments for the spy company had Kaspersky software program put in on his residence pc the place he was creating the instruments, and the software program detected the supply code as malicious code and extracted it from his pc, as antivirus software program is designed to do. A second story claimed that Israeli spies caught Russian authorities hackers utilizing Kaspersky software program to go looking buyer programs for information containing U.S. secrets and techniques.
Kaspersky denied that anybody used its software program to seek for secret info on buyer machines and mentioned that the instruments on the NSA employee’s machine have been detected in the identical method that every one antivirus software program detects information it deems suspicious after which quarantines or extracts them for evaluation. Once Kaspersky found that the code its antivirus software program detected on the NSA employee’s machine weren’t malicious packages however supply code in growth by the U.S. authorities for its hacking operations, CEO Eugene Kaspersky says he ordered employees to delete the code.
Last yr, the U.S. Commerce Department banned the sale of Kaspersky software program within the U.S. efficient July 20, 2024. U.S. officers argued the ban was wanted as a result of Russian legislation requires home firms to cooperate in all official investigations, and thus the Russian authorities might drive Kaspersky to secretly collect intelligence on its behalf.
Phishing knowledge gathered final yr by the Interisle Consulting Group ranked internet hosting networks by their dimension and focus of spambot hosts, and discovered Prospero had a better spam rating than another supplier by far.
AS209030, owned by Kaspersky Lab, is offering connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.
It stays unclear why Kaspersky is offering transit to Prospero. Doug Madory, director of Internet evaluation at Kentik, mentioned routing information present the connection between Prospero and Kaspersky began firstly of December 2024.
Madory mentioned Kaspersky’s community seems to be internet hosting a number of monetary establishments, together with Russia’s largest — Alfa-Bank. Kaspersky sells providers to assist defend clients from distributed denial-of-service (DDoS) assaults, and Madory mentioned it might be that Prospero is solely buying that safety from Kaspersky.
But if that’s the case, it doesn’t make the scenario any higher, mentioned Zach Edwards, a senior risk researcher on the safety agency Silent Push.
“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” Edwards mentioned.