CISA Releases Guide to Mitigate Bulletproof Hosting Threats

First reported

19.11.2025 14:00

Last updated

20.11.2025 17:00

2 unique sources, 2 articles

Summary

Hide ▲

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with U.S. and international partners, has released a guide titled 'Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers.' This guide provides internet service providers (ISPs) and network defenders with an overview of bulletproof hosting (BPH) cybercriminal activities and key steps to safeguard their networks. The guide emphasizes the growing use of BPH infrastructure by cybercriminals to conduct ransomware attacks, data extortion, and denial of service (DoS) attacks. The guide recommends implementing traffic analysis, maintaining lists of malicious internet resources, and establishing filters to mitigate BPH risks. CISA encourages ISPs and organizations to adopt these measures to reduce the effectiveness of BPH infrastructure and enhance network security. The guide also highlights the role of BPH providers in leasing or reselling infrastructure to malicious actors, enabling them to obfuscate operations and avoid detection. Key recommendations include curating a 'high confidence' list of malicious internet resources, conducting continuous traffic analysis, implementing automated reviews of blocklists, sharing threat intelligence, deploying filters at the network edge, and establishing feedback processes to reduce accidental blocking.

Timeline

19.11.2025 14:00 2 articles · 2d ago

CISA Releases Guide to Combat Bulletproof Hosting Cybercrime
On November 19, 2025, CISA, in collaboration with U.S. and international partners, released a guide titled 'Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers.' This guide provides ISPs and network defenders with key steps and best practices to safeguard their networks from BPH-related cybercriminal activities. The guide emphasizes the growing threat of BPH infrastructure and offers actionable recommendations to mitigate these risks. The article further details how BPH infrastructure supports ransomware, phishing, malware delivery, and other attacks targeting critical sectors. It also highlights the role of BPH providers in leasing or reselling infrastructure to malicious actors, enabling them to obfuscate operations and avoid detection. Key recommendations include curating a 'high confidence' list of malicious internet resources, conducting continuous traffic analysis, implementing automated reviews of blocklists, sharing threat intelligence, deploying filters at the network edge, and establishing feedback processes to reduce accidental blocking.
Show sources

CISA Unveils Guide to Combat Bulletproof Hosting Cybercrime — www.cisa.gov — 19.11.2025 14:00

CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00
Open in new tab

Information Snippets

Bulletproof hosting (BPH) providers offer infrastructure that is resistant to legal processes and victim complaints, enabling cybercriminal activities such as ransomware, data extortion, and DoS attacks.
First reported: 19.11.2025 14:00

2 sources, 2 articles
Show sources
- CISA Unveils Guide to Combat Bulletproof Hosting Cybercrime — www.cisa.gov — 19.11.2025 14:00
- CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00
The guide advises ISPs to conduct traffic analysis, curate lists of malicious internet resources, and implement filters to mitigate BPH risks.
First reported: 19.11.2025 14:00

2 sources, 2 articles
Show sources
- CISA Unveils Guide to Combat Bulletproof Hosting Cybercrime — www.cisa.gov — 19.11.2025 14:00
- CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00
CISA collaborates with governments, law enforcement, and the private sector to combat BPH infrastructure and reduce cybercriminal anonymity.
First reported: 19.11.2025 14:00

1 source, 1 article
Show sources
- CISA Unveils Guide to Combat Bulletproof Hosting Cybercrime — www.cisa.gov — 19.11.2025 14:00
Bulletproof hosting (BPH) infrastructure supports ransomware, phishing, malware delivery, and other attacks targeting critical sectors.
First reported: 20.11.2025 17:00

1 source, 1 article
Show sources
- CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00
BPH providers lease or resell infrastructure to malicious actors, allowing them to obfuscate operations, cycle through IP addresses, and host illicit content while avoiding detection.
First reported: 20.11.2025 17:00

1 source, 1 article
Show sources
- CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00
Fast flux techniques, command and control activity, and data extortion schemes frequently run through BPH networks.
First reported: 20.11.2025 17:00

1 source, 1 article
Show sources
- CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00
CISA recommends curating a 'high confidence' list of malicious internet resources, conducting continuous traffic analysis, implementing automated reviews of blocklists, sharing threat intelligence, deploying filters at the network edge, and establishing feedback processes to reduce accidental blocking.
First reported: 20.11.2025 17:00

1 source, 1 article
Show sources
- CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00
ISPs are encouraged to notify customers about potential threats, offer optional filtering tools, and establish sector-wide standards for BPH abuse prevention.
First reported: 20.11.2025 17:00

1 source, 1 article
Show sources
- CISA Issues New Guidance on Bulletproof Hosting Threat — www.infosecurity-magazine.com — 20.11.2025 17:00

Similar Happenings

Sanctions imposed on Russian bulletproof hosting providers Media Land, ML.Cloud, and Aeza Group over ransomware support

The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) providers Media Land, ML.Cloud, and Aeza Group, along with their executives, for supporting ransomware gangs and cybercrime operations. Media Land's infrastructure has been used by groups like LockBit, BlackSuit, and Play, as well as in DDoS attacks against U.S. companies and critical infrastructure. The sanctions target four executives, including Aleksandr Volosovik, Kirill Zatolokin, Yulia Pankova, and Andrei Kozlov, freezing their assets and exposing transactions with them to secondary sanctions. Additionally, the UK-registered Hypercore, a front for Aeza Group, was also sanctioned. The sanctions aim to disrupt the services that enable cybercriminals to operate with impunity, targeting both the providers and their financial backers. Five Eyes agencies released joint guidance to help mitigate cybercriminal activity using BPH infrastructure, advising traffic analysis, filtering, and customer verification. The coordinated sanctions will seize property and businesses in the US, UK, and Australia, making it harder for the entities to transact with the West through legitimate banking channels.

Open in new tab

VPS Infrastructure Abused for Stealthy SaaS Account Compromises

Threat actors are exploiting commercial virtual private server (VPS) infrastructure to quickly and discreetly set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments. VPSs are favored due to their low cost, rapid deployment, and minimal open-source intelligence footprints. The abuse of VPS infrastructure has increased in SaaS-targeted campaigns, enabling attackers to bypass geolocation-based defenses and evade IP reputation checks. The SystemBC proxy botnet operators maintain an average of 1,500 bots daily, exploiting vulnerable commercial VPS infrastructure. This network has been active since at least 2019 and is used by various threat actors, including ransomware gangs, to deliver payloads. The use of VPS infrastructure allows attackers to mimic local traffic, blend into legitimate behavior, and rapidly deploy attack infrastructure, making detection and tracking more challenging. The SystemBC network is built for volume with little concern for stealth, and it powers other criminal proxy networks. It has over 80 command-and-control (C2) servers and fuels other proxy network services, including REM Proxy and a Vietnamese-based proxy network called VN5Socks or Shopsocks5. Nearly 80% of the SystemBC network consists of compromised VPS systems from multiple large commercial providers, with infected VPS systems having multiple easy-to-exploit vulnerabilities, with an average of 20 unpatched security issues and at least one critical-severity vulnerability. REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online. The SystemBC botnet comprises over 80 C2 servers and a daily average of 1,500 victims, of which nearly 80% are compromised virtual private server (VPS) systems from several large commercial providers. Close to 40% of the compromises have "extremely long average" infection lifespans, lasting over 31 days. The vast majority of the victimized servers have been found to be susceptible to several known security flaws. Each victim has 20 unpatched CVEs and at least one critical CVE on average, with one of the identified VPS servers in the U.S. city of Atlanta vulnerable to more than 160 unpatched CVEs. The IP address 104.250.164[.]214 hosts the artifacts and appears to be the source of attacks to recruit potential victims. SystemBC is used to brute-force WordPress site credentials, which are likely sold to brokers for malicious code injection. SystemBC has exhibited sustained activity and operational resilience across multiple years, establishing itself as a persistent vector within the cyber threat landscape.