VulnHub

Real-time Cybersecurity News

CISA Releases Guide to Mitigate Risks from Bulletproof Hosting Providers

All CISA Advisories
RansomwarePhishingMalwareCritical

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has released a guide to help Internet Service Providers (ISPs) mitigate risks associated with Bulletproof Hosting (BPH) providers that facilitate cybercriminal activities like ransomware and phishing. The guide emphasizes the importance of collaboration and proactive measures to reduce the effectiveness of BPH infrastructure, which poses significant threats to critical systems and services.

Key Takeaways

  • Affected Systems: Bulletproof Hosting providers, cybercriminal activities including ransomware, phishing, malware delivery, denial-of-service attacks.
  • Action Required: Curate malicious resource lists, implement filters to block malicious traffic, analyze network traffic for anomalies, use logging systems to track ASNs and IP addresses, share intelligence with public and private entities, notify customers about malicious resources, provide premade filters, set accountability standards, and vet customers to prevent BPH abuse.
  • Timeline: Newly disclosed

Original Article Summary

Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help Internet Service Providers (ISPs) and network defenders mitigate cybercriminal activity enabled by Bulletproof Hosting (BPH) providers. A BPH provider is an internet infrastructure provider that knowingly leases infrastructure to cybercriminals. These providers enable malicious activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks, posing an imminent and significant risk to the resilience and safety of critical systems and services. The guide provides recommendations to reduce the effectiveness of BPH infrastructure while minimizing disruptions to legitimate activity. Key Recommendations for ISPs and Network Defenders: Curate malicious resource lists: Use threat intelligence feeds and sharing channels to build lists of malicious resources. Implement filters: Apply filters to block malicious traffic while avoiding disruptions to legitimate activity. Analyze traffic: Monitor network traffic to identify anomalies and supplement malicious resource lists. Use logging systems: Record Autonomous System Numbers (ASNs) and IP addresses, issue alerts for malicious activity, and keep logs updated. Share intelligence: Collaborate with public and private entities to strengthen cybersecurity defenses. Additional Recommendations for ISPs: Notify customers: Inform customers about malicious resource lists and filters, with opt-out options. Provide filters: Offer premade filters for customers to apply in their networks. Set accountability standards: Work with other ISPs to create codes of conduct for BPH abuse prevention. Vet customers: Collect and verify customer information to prevent BPH providers from leasing ISP infrastructure. CISA and its partners urge ISPs and network defenders to implement these recommendations to mitigate risks posed by BPH providers. By reducing the effectiveness of BPH infrastructure, defenders can force cybercriminals to rely on legitimate providers that comply with legal processes. For more information, visit the full guide.

Impact

Bulletproof Hosting providers, cybercriminal activities including ransomware, phishing, malware delivery, denial-of-service attacks.

Exploitation Status

The exploitation status is currently unknown. Monitor vendor advisories and security bulletins for updates.

Timeline

Newly disclosed

Remediation

Curate malicious resource lists, implement filters to block malicious traffic, analyze network traffic for anomalies, use logging systems to track ASNs and IP addresses, share intelligence with public and private entities, notify customers about malicious resources, provide premade filters, set accountability standards, and vet customers to prevent BPH abuse.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Ransomware, Phishing, Malware, and 1 more.

Read Original Article

Related Coverage

Zombie linkages are keeping expired domains trusted for years

Help Net Security

Researchers from USC and the University of Twente have identified a significant issue with expired domains, which can continue to hold trust long after they have changed hands. This phenomenon, referred to as 'zombie linkages,' occurs in systems like Web PKI, Maven Central, and Ethereum Name Service. When a domain expires and is transferred to a new owner, the systems still recognize and trust the previous owner, potentially allowing malicious actors to exploit this trust. This lingering trust can create security risks, as users may unknowingly interact with compromised or malicious domains. Addressing this problem is crucial for maintaining the integrity of online systems and protecting users from potential fraud or exploitation.

May 15, 2026

You're not going to patch your way out of this - PSW #926

SCM feed for Latest

A recent cybersecurity article warns about a significant vulnerability that cannot simply be fixed by applying patches. The issue affects multiple software systems and could leave users exposed if not addressed comprehensively. Researchers emphasize that traditional patch management strategies may not suffice, as attackers could exploit underlying flaws. This situation puts organizations at risk of data breaches and financial losses. The need for a more thorough approach to security is critical for companies relying on these systems.

May 14, 2026

Maximum Severity Cisco SD-WAN Bug Exploited in the Wild

darkreading

A serious vulnerability in Cisco's SD-WAN network control system has been actively exploited, marking the second time this year that attackers have taken advantage of a CVSS 10.0 flaw. This critical bug poses a significant risk as it allows unauthorized access to the network, potentially compromising sensitive data and systems. Organizations using Cisco SD-WAN solutions should be particularly vigilant, as the severity of this vulnerability makes it a prime target for malicious actors. It's crucial for affected users to stay informed about the latest security updates and apply any available patches to mitigate risks associated with this vulnerability.

May 14, 2026

White House cyber official: identity security matters more than ever in the age of AI

CyberScoop

A White House cybersecurity official emphasized the growing risks associated with identity security in the context of artificial intelligence. During a recent address, the official pointed out that attackers are increasingly exploiting weak identity management systems to launch their attacks, particularly as AI tools become more prevalent. Organizations that fail to secure their identity systems are leaving themselves vulnerable to significant damage. This situation underscores the need for companies to prioritize identity security measures, especially as AI capabilities evolve. The official's remarks serve as a call to action for businesses and government agencies to enhance their identity protection strategies to mitigate potential threats.

May 14, 2026

Linux Kernel bug Fragnesia allows local root access attacks

Security Affairs

Researchers have identified a new vulnerability in the Linux kernel, named Fragnesia and tracked as CVE-2026-46300, which could allow local attackers to gain root access through page cache corruption. This flaw affects the XFRM ESP-in-TCP subsystem and has a CVSS score of 7.8, indicating a significant risk. If exploited, it could enable attackers to take complete control of the affected systems. It's crucial for users of affected Linux systems to be aware of this vulnerability and take necessary precautions. The disclosure of this flaw highlights ongoing security challenges within the Linux ecosystem.

May 14, 2026

Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

The Hacker News

Researchers have identified malicious code in three versions of the popular npm package node-ipc, specifically versions 9.1.6, 9.2.3, and 12.0.1. This backdoor allows attackers to steal sensitive developer credentials and secrets. Users who have installed these versions are at risk of their private data being compromised. The discovery raises concerns for developers and organizations relying on this package for their applications. Immediate action is needed to mitigate potential damage and secure development environments.

May 14, 2026