Acquire Infrastructure: Virtual Private Server
Other sub-techniques of Acquire Infrastructure (8)
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)
Procedure Examples |
|
| Name | Description |
|---|---|
| Gamaredon Group |
Gamaredon Group has used VPS hosting providers for infrastructure outside of Russia.(Citation: unit42_gamaredon_dec2022) |
| APT28 |
APT28 hosted phishing domains on free services for brief periods of time during campaigns.(Citation: Leonard TAG 2023) |
|
FLORAHOX Activity has used acquired Virtual Private Servers as control systems for the ORB network.(Citation: ORB Mandiant) |
|
|
During the J-magic Campaign, threat actors acquired VPS for use in C2.(Citation: Lumen J-Magic JAN 2025) |
|
|
During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019) |
|
| Ember Bear |
Ember Bear has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.(Citation: CISA GRU29155 2024) |
|
ArcaneDoor included the use of dedicated, adversary-controlled virtual private servers for command and control.(Citation: Cisco ArcaneDoor 2024) |
|
| LAPSUS$ |
LAPSUS$ has used VPS hosting providers for infrastructure.(Citation: MSTIC DEV-0537 Mar 2022) |
| Sea Turtle |
Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.(Citation: Talos Sea Turtle 2019) |
| Winter Vivern |
Winter Vivern used adversary-owned and -controlled servers to host web vulnerability scanning applications.(Citation: SentinelOne WinterVivern 2023) |
| CURIUM |
CURIUM created virtual private server instances to facilitate use of malicious domains and other items.(Citation: PWC Yellow Liderc 2023) |
| BlackByte |
BlackByte staged encryption keys on virtual private servers operated by the adversary.(Citation: FBI BlackByte 2022) |
|
KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.(Citation: Lumen KVBotnet 2023) |
|
| Axiom |
Axiom has used VPS hosting providers in targeting of intended victims.(Citation: Novetta-Axiom) |
| Moonstone Sleet |
Moonstone Sleet registered virtual private servers to host payloads for download.(Citation: Microsoft Moonstone Sleet 2024) |
| Dragonfly |
Dragonfly has acquired VPS infrastructure for use in malicious campaigns.(Citation: Gigamon Berserk Bear October 2021) |
| TEMP.Veles |
TEMP.Veles has used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019) |
| APT42 |
APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment.(Citation: Mandiant APT42-charms)(Citation: Mandiant APT42-untangling) |
|
SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.(Citation: ORB Mandiant) |
|
| HAFNIUM |
HAFNIUM has operated from leased virtual private servers (VPS) in the United States.(Citation: Microsoft HAFNIUM March 2020) |
Mitigations |
|
| Mitigation | Description |
|---|---|
| Pre-compromise |
Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures: Limit Information Exposure: - Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information. Protect Domain and DNS Infrastructure: - Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools. External Monitoring: - Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses. Threat Intelligence: - Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity. Content and Email Protections: - Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing. Training and Awareness: - Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks. |
Detection
Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
References
- Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
- ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
- Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
- Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.
- Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
- Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
- Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
- Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
- Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
- US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
- Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024.
- Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
- PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
- US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
- Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
- Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
- Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
- MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.