Description
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (16)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used VPS hosting providers for infrastructure outside of Russia.(Citation: unit42_gamared... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) hosted phishing domains on free services for brief periods of time during campaigns.(Citation: Leonard ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infr... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has used VPS hosting providers for infrastructure.(Citation: MSTIC DEV-0537 Mar 2022) |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) created adversary-in-the-middle servers to impersonate legitimate services and enable credential c... |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) used adversary-owned and -controlled servers to host web vulnerability scanning applications.(C... |
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) created virtual private server instances to facilitate use of malicious domains and other items.(Citat... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized VPS solutions for C2.(Citation: Check Point VOID MANTICORE Handala Hack March 202... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) staged encryption keys on virtual private servers operated by the adversary.(Citation: FBI BlackByt... |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has used VPS hosting providers in targeting of intended victims.(Citation: Novetta-Axiom) |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) registered virtual private servers to host payloads for download.(Citation: Microsoft Moonsto... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has acquired virtual private servers from services such as Stark Industries Solutions an... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has acquired VPS infrastructure for use in malicious campaigns.(Citation: Gigamon Berserk Bear Octo... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has incorporated virtual private servers (VPS) into its operational infrastructure.(Citation: Record... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s env... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has operated from leased virtual private servers (VPS) in the United States.(Citation: Microsoft HAFN... |
References
- Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
- Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.
- Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
- ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
Frequently Asked Questions
What is T1583.003 (Virtual Private Server)?
T1583.003 is a MITRE ATT&CK technique named 'Virtual Private Server'. It belongs to the Resource Development tactic(s). Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By util...
How can T1583.003 be detected?
Detection of T1583.003 (Virtual Private Server) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1583.003?
There are 1 documented mitigations for T1583.003. Key mitigations include: Pre-compromise.
Which threat groups use T1583.003?
Known threat groups using T1583.003 include: Gamaredon Group, APT28, Ember Bear, LAPSUS$, Sea Turtle, Winter Vivern, CURIUM, VOID MANTICORE.