VulnHub

Real-time Cybersecurity News

CISA Releases Guide to Mitigate Risks from Bulletproof Hosting Providers

All CISA Advisories
RansomwarePhishingMalwareCritical

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has released a guide to help Internet Service Providers (ISPs) mitigate risks associated with Bulletproof Hosting (BPH) providers that facilitate cybercriminal activities like ransomware and phishing. The guide emphasizes the importance of collaboration and proactive measures to reduce the effectiveness of BPH infrastructure, which poses significant threats to critical systems and services.

Key Takeaways

  • Affected Systems: Bulletproof Hosting providers, cybercriminal activities including ransomware, phishing, malware delivery, denial-of-service attacks.
  • Action Required: Curate malicious resource lists, implement filters to block malicious traffic, analyze network traffic for anomalies, use logging systems to track ASNs and IP addresses, share intelligence with public and private entities, notify customers about malicious resources, provide premade filters, set accountability standards, and vet customers to prevent BPH abuse.
  • Timeline: Newly disclosed

Original Article Summary

Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help Internet Service Providers (ISPs) and network defenders mitigate cybercriminal activity enabled by Bulletproof Hosting (BPH) providers. A BPH provider is an internet infrastructure provider that knowingly leases infrastructure to cybercriminals. These providers enable malicious activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks, posing an imminent and significant risk to the resilience and safety of critical systems and services. The guide provides recommendations to reduce the effectiveness of BPH infrastructure while minimizing disruptions to legitimate activity. Key Recommendations for ISPs and Network Defenders: Curate malicious resource lists: Use threat intelligence feeds and sharing channels to build lists of malicious resources. Implement filters: Apply filters to block malicious traffic while avoiding disruptions to legitimate activity. Analyze traffic: Monitor network traffic to identify anomalies and supplement malicious resource lists. Use logging systems: Record Autonomous System Numbers (ASNs) and IP addresses, issue alerts for malicious activity, and keep logs updated. Share intelligence: Collaborate with public and private entities to strengthen cybersecurity defenses. Additional Recommendations for ISPs: Notify customers: Inform customers about malicious resource lists and filters, with opt-out options. Provide filters: Offer premade filters for customers to apply in their networks. Set accountability standards: Work with other ISPs to create codes of conduct for BPH abuse prevention. Vet customers: Collect and verify customer information to prevent BPH providers from leasing ISP infrastructure. CISA and its partners urge ISPs and network defenders to implement these recommendations to mitigate risks posed by BPH providers. By reducing the effectiveness of BPH infrastructure, defenders can force cybercriminals to rely on legitimate providers that comply with legal processes. For more information, visit the full guide.

Impact

Bulletproof Hosting providers, cybercriminal activities including ransomware, phishing, malware delivery, denial-of-service attacks.

Exploitation Status

The exploitation status is currently unknown. Monitor vendor advisories and security bulletins for updates.

Timeline

Newly disclosed

Remediation

Curate malicious resource lists, implement filters to block malicious traffic, analyze network traffic for anomalies, use logging systems to track ASNs and IP addresses, share intelligence with public and private entities, notify customers about malicious resources, provide premade filters, set accountability standards, and vet customers to prevent BPH abuse.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Ransomware, Phishing, Malware, and 1 more.

Read Original Article

Related Coverage

ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers

Hackread – Cybersecurity News, Data Breaches, AI and More

Hackers are currently exploiting a vulnerability in ShowDoc, identified as CVE-2025-0520, which was discovered five years ago. This flaw allows attackers to deploy web shells, enabling remote code execution (RCE) and complete server takeovers on affected systems. The exploitation of this vulnerability is happening globally, impacting various organizations that use ShowDoc. It’s crucial for users and companies to address this issue promptly to prevent unauthorized access and potential data breaches. Security teams should prioritize patching their systems to mitigate the risk posed by this vulnerability.

Apr 18, 2026

Operation PowerOFF: 75K Users of DDoS-for-Hire Services Identified and Warned

Hackread – Cybersecurity News, Data Breaches, AI and More

Operation PowerOFF has successfully identified and issued warnings to around 75,000 users of DDoS-for-hire services. This initiative, led by Europol, resulted in four arrests and the seizure of 53 domains associated with these illegal services. DDoS-for-hire, also known as 'booting', involves paying individuals or groups to launch distributed denial-of-service attacks against targeted websites or networks, causing disruption. The crackdown not only targets the providers but also the users who engage in these activities, highlighting the ongoing efforts to combat cybercrime. Users involved in these services face potential legal consequences, which raises awareness about the risks of participating in such illicit activities.

Apr 18, 2026

$13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims

The Hacker News

Grinex, a cryptocurrency exchange based in Kyrgyzstan and already sanctioned by the U.K. and U.S., has announced the suspension of its operations following a cyber attack that resulted in the theft of $13.74 million. The exchange claims this attack was orchestrated by foreign intelligence agencies, suggesting a coordinated effort rather than a random act of cybercrime. This incident raises concerns not only for Grinex but also for the broader cryptocurrency market, as it highlights vulnerabilities within exchanges, especially those already under scrutiny. The attack's implications could deter users from engaging with platforms that have been targeted, thereby affecting market confidence. As the investigation unfolds, the exchange and its users are left grappling with the fallout from this significant breach.

Apr 18, 2026

Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

The Hacker News

Researchers from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have identified that attackers are exploiting a command injection vulnerability, CVE-2024-3721, in TBK DVRs and outdated TP-Link Wi-Fi routers. This medium-severity flaw, which has a CVSS score of 6.3, allows malicious actors to hijack these devices to create a botnet for DDoS attacks. The compromised TBK DVRs and EoL TP-Link routers are particularly concerning as they can be easily targeted due to their lack of ongoing support and security updates. This situation poses a significant risk to users, as their devices can be turned into tools for larger-scale cyberattacks without their knowledge. Users of these devices should take immediate action to secure their systems against potential exploitation.

Apr 18, 2026

US imposes extended jail time on North Korean laptop farm facilitators

SCM feed for Latest

Kejia Wang and Zhenxing Wang, two residents of New Jersey, have been sentenced to nine years and nearly eight years in prison, respectively, for their roles in facilitating a North Korean laptop farm. This operation was part of a scheme that falsely represented IT workers, generating over $5 million for the North Korean regime. The laptop farm was used to support various illicit activities, highlighting the ongoing challenges posed by cyber operations linked to North Korea. The U.S. Department of Justice's actions aim to disrupt these types of operations and send a clear message against aiding sanctioned regimes. This incident serves as a reminder of the global reach of cybercrime and the importance of international cooperation in combating it.

Apr 17, 2026

Another PoC exploit released by 'BlueHammer' leaker after Microsoft dispute

SCM feed for Latest

A security researcher known as Chaotic Eclipse has released a proof-of-concept (PoC) exploit for a zero-day vulnerability in Microsoft Defender, identified as 'RedSun'. This follows the earlier disclosure of an exploit for another flaw in Defender, tracked as CVE-2026-33825, known as the BlueHammer flaw. The implications of these exploits are significant, as they expose users of Microsoft Defender to potential attacks that could compromise system security. Organizations using this antivirus solution should be particularly vigilant, as the release of these exploits could lead to increased attempts at exploitation by malicious actors. It's crucial for users to stay informed about updates from Microsoft regarding these vulnerabilities.

Apr 17, 2026