VPS servers hijacked into malware proxies - here's how to stay safe

News
By published

Lumen report details large SystemBC botnet

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
(Image credit: Shutterstock)
  • SystemBC botnet hijacks VPS servers, making up 80% of its active proxy nodes
  • Infected VPS machines relay traffic for phishing, brute-force, and ransomware operations
  • Bots generate high-volume traffic daily, often staying active for weeks despite blacklisting

Cybercriminals are increasingly hijacking Virtual Private Servers (VPS) to build high-volume malware proxy networks, experts have warned.

Cybersecurity researchers at Lumen Technologies Black Lotus Labs recently detailed the works of the SyxtemBC botnet, active since early 2019, which has quietly amassed more than 80 command-and-control servers, and maintains an average of 1,500 active bots daily.

What makes this botnet stand out is the fact that nearly 80% of the compromised systems are Virtual Private Servers (VPS).

Cybercrime infrastructure

Usually, a botnet would rely on residential devices (computers, routers, smart home devices, DVRs, cameras, and similar), but SystemBC takes a different approach and exploits servers with dozens, sometimes hundreds, of unpatched vulnerabilities.

“While we could not determine the initial access vector used by SystemBC operators, our research revealed that, on average, each victim shows 20 unpatched CVEs and at least one critical CVE – with one address shown as having over 160 unpatched vulnerabilities,” the researchers explained.

These infected VPS machines are repurposed as proxy relays, enabling threat actors to route enormous volumes of malicious traffic for phishing, brute-force attacks, and ransomware operations, among other things.

To make matters worse, many of these compromised servers remain active for weeks, and 40% stay infected for more than a month.

There are numerous advantages to targeting VPS infrastructure instead of residential endpoints, Lumen further explains. VPS’ offers higher bandwidth, long infection lifespans, and minimal disruption to end users. This allows criminal proxy services, such as REM Proxy, or VN5Socks, to market these bots to other threat groups, including ransomware operators such as AvosLocker, or Morpheus.

Another thing that makes SystemBC stand out is its operators’ complete disregard of stealth. The bots routinely generate gigabytes of traffic per day and are quickly flagged and blacklisted. However, they continue to function as part of sprawling proxy networks.

Lumen has responded by blocking all traffic to and from SystemBC-related infrastructure across its global backbone and has released indicators of compromise to aid defenders, which can be found on this link.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.