Full Report
One of the most notorious providers of abuse-friendly "bulletproof" web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned.
Analysis Summary
# Incident Report: Bulletproof Hosting Provider Routes Traffic Through Kaspersky Networks
## Executive Summary
A notorious bulletproof web hosting provider, Prospero OOO (operating under names like Securehost and BEARHOST), which has a history of hosting malware, botnets, and phishing sites, was discovered routing its operations through the networks of the Russian security firm Kaspersky Lab. This connection suggests that Kaspersky is providing network transit or DDoS protection services to an entity widely known for enabling cybercrime, raising significant geopolitical and security concerns regarding potential intelligence gathering.
## Incident Details
- Discovery Date: Earlier this week (relative to the report)
- Incident Date: Relationship began at the beginning of December 2024.
- Affected Organization: Prospero OOO (Bulletproof Host), Kaspersky Lab (Transit Provider)
- Sector: Cybercrime Enablers/Security Software
- Geography: Russia-based businesses
## Timeline of Events
### Initial Access (to the internet infrastructure)
- Date/Time: Beginning of December 2024
- Vector: Network Transit/Peering Agreement
- Details: Prospero OOO (AS200593) began routing its Internet traffic through Autonomous System AS209030, which is operated by Kaspersky Lab in Moscow.
### Lateral Movement
- *Not applicable in the traditional network sense, as this concerns infrastructure routing.* The compromise here is *reputational* and *operational access* rather than network intrusion. Prospero has historically hosted control servers for ransomware gangs and malware distribution operations like SocGholish and GootLoader.
### Data Exfiltration/Impact
- The primary impact is the legitimization and continued operation of a major cybercrime infrastructure provider (Prospero) being shielded or supported by a known security vendor (Kaspersky).
- Prospero’s networks have been associated with hosting command and control (C2) servers for ransomware operations.
### Detection & Response
- Detection Method: Spamhaus noticed the traffic change through BGP/routing records analysis. Kentik confirmed the start date via routing records.
- Response actions taken: Security researchers reported the findings to KrebsOnSecurity; external security community raised awareness. Kaspersky did not respond to requests for comment.
## Attack Methodology
- Initial Access: **Network Configuration/Service Provisioning**. Kaspersky appears to be providing network connectivity (transit or DDoS protection) to Prospero's infrastructure (AS200593).
- Persistence: **Infrastructure Support.** Prospero maintains its ability to operate abuse-friendly hosting services shielded by Kaspersky's network.
- Privilege Escalation: *Not applicable.*
- Defense Evasion: Prospero prides itself on evading blocks from organizations like Spamhaus, and routing through Kaspersky may assist in maintaining this evasion.
- Credential Access: *Related activity involved malware previously hosted, but not the primary incident.*
- Discovery: Reconnaissance of Prospero’s C2 activity by Intrinsec; subsequent BGP analysis (Spamhaus/Kentik) revealed the routing change.
- Lateral Movement: *Not applicable.*
- Collection: Prospero has hosted infrastructure for malware loaders like GootLoader and SocGholish.
- Exfiltration: *Related activity involves data theft facilitated by malware hosted on Prospero.*
- Impact: **Enabling Cybercrime** by providing connectivity to a major bulletproof host.
## Impact Assessment
- Financial: Unknown, but significant concerning the continued operation of ransomware and phishing infrastructure. Kaspersky’s network also hosts significant financial institutions, including Alfa-Bank, raising concerns about their security posture.
- Data Breach: Prospero has historically hosted infrastructure used for distribution of various malware types, increasing broad external risk of data compromise.
- Operational: None to Kaspersky or Prospero directly from the identification; however, it undermines global efforts to block cybercrime infrastructure.
- Reputational: Highly damaging to Kaspersky's reputation, especially given previous U.S. DHS/Commerce bans predicated on espionage concerns.
## Indicators of Compromise
- Network Indicators (defanged): AS200593 (Prospero OOO), AS209030 (Kaspersky Lab)
- File Indicators: Hosting environments associated with malware families like SocGholish and GootLoader.
- Behavioral Indicators: Routinely ignoring abuse complaints (bulletproof hosting behavior).
## Response Actions
- Containment: External reporting and public exposure of the routing arrangement.
- Eradication: Not applicable (no systems were directly breached by this analysis).
- Recovery Actions: Unclear, pending response from Kaspersky Lab or potential upstream pressure on the peering relationship.
## Lessons Learned
- The nexus between established cybersecurity vendors and major cybercrime enablers remains a critical blind spot, even in infrastructure routing.
- Reputation alone (past recognition for security research) does not preclude potential risk or problematic business relationships for security firms.
- The operational connections (like DDoS protection service purchases) between legitimate firms and illicit hosts need intensive scrutiny as they can provide critical infrastructure shielding.
## Recommendations
- Security organizations and researchers must continue robust infrastructure monitoring, including BGP route analysis, to detect shifts in how illicit infrastructure connects to the legitimate internet.
- Organizations that provide critical infrastructure services (transit, DDoS mitigation) must rigorously vet their customers, especially when dealing with entities known for abuse (like Prospero).
- Global stakeholders relying on Kaspersky products should continually reassess risk based on the company's current operational partnerships.