TZUTC: -0500   
   MSGID: 1053.consprcy@1:2320/105 2c6b782c   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Russian bulletproof hosting system targeted by hackers to spread malware   
      
   Date:   
   Mon, 21 Apr 2025 11:01:00 +0000   
      
   Description:   
   Cybercriminals are using Proton66 for a range of activities, researchers say.   
      
   FULL STORY   
      
   Proton66, a Russian bulletproof hosting service provider, is being used to   
   spread malware, ransomware , mount phishing attacks, and more, experts have   
   warned.   
      
   Researchers from Trustwave warned the malicious activity has picked up in   
   recent weeks, stating how, Starting from January 8, 2025, SpiderLabs observed   
   an increase in mass scanning, credential brute forcing, and exploitation   
   attempts originating from Proton66 ASN targeting organizations worldwide.    
      
   Although malicious activity was seen in the past, the spike and sudden    
   decline observed later in February 2025 were notable, and offending IP   
   addresses were investigated.    
      
   Whoever is behind these activities is looking to exploit a number of   
   vulnerabilities, including an authentication bypass flaw in Palo Alto    
   Networks PAN-OS (CVE-2025-0108(, an insufficient input validation flaw in the   
   NuPoint Unified Messaging (NPM) component of Mitel MiCollab (CVE-2024-41713),   
   a command injection vulnerability in D-LINKs NAS (CVE-2024-10914), and an   
   authentication bypass in Fortinets FortiOS (CVE-2024-55591 and   
   CVE-2025-24472).    
      
   The two FortiOS flaws were previously exploited by the initial access broker   
   Mora_001, which has also been seen dropping a new ransomware variant called   
   SuperBlack.    
      
   The same publication also said that several malware families hosted their C2   
   servers on Proton66, including GootLoader and SpyNote.    
      
   Furthermore, Trustwave said XWorm, StrelaStealer, and a ransomware named   
   WeaXor were all being distributed through Proton66.    
      
   Finally, crooks are allegedly using compromised WordPress sites related to a   
   Proton66-linked IP address to redirect Android users to phishing pages that   
   spoof Google Play app listings and try to trick users into downloading   
   malware.    
      
   To mitigate the risk against Proton66-linked threats, users should block all   
   the Classless Inter-Domain Routing (CIDR) rangers associated with the company   
   and Chang Way Technologies. The latter is a Hong Kong-based provider that is   
   likely related to Proton66.    
      
   So-called bulletproof hosting is a type of hosting service that is advertised   
   as being immune to takedowns and legal action, but there have been examples    
   in the past when bulletproof hosting ends up yielding in the end.    
      
   At this time, the fact that Proton66 is a Russian service probably makes it   
   somewhat bulletproof for Western users. However, politics change as the wind,   
   and what Russia protected yesterday could be traded tomorrow.    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/russian-bulletproof-hosting-system-targ   
   eted-by-hackers-to-spread-malware   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426