Skip to main content

Mass Scanning and Exploit Campaigns

Critical
Published: Fri May 16 2025 (05/16/2025, 08:51:13 UTC)
Source: AlienVault OTX

Description

Trustwave SpiderLabs has identified ongoing malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns. The investigation revealed connections between Proton66 and bulletproof hosting services advertised on underground forums. Mass scanning and exploit campaigns targeting multiple sectors were observed, with technology and financial organizations being the most common targets. A specific IP address linked to SuperBlack ransomware operators was found distributing critical exploits. The analysis also uncovered a potential rebranding of underground hosting services and shifts in IP addresses between different ASNs, suggesting relationships between providers.

AI-Powered Analysis

AILast updated: 06/19/2025, 17:33:41 UTC

Technical Analysis

The identified threat involves ongoing mass scanning and exploit campaigns orchestrated by the Proton66 ASN, a network associated with bulletproof hosting services frequently advertised on underground cybercrime forums. These campaigns encompass vulnerability scanning, exploit attempts, and phishing activities targeting multiple sectors, with a particular focus on technology and financial organizations. Proton66's infrastructure appears to be linked with the SuperBlack ransomware operators, as evidenced by a specific IP address distributing critical exploits. The campaigns leverage multiple critical vulnerabilities, including CVE-2024-10914, CVE-2024-55591, CVE-2024-41713, CVE-2025-24472, and CVE-2025-0108, indicating a broad and aggressive exploitation strategy. The threat actors demonstrate operational agility by rebranding underground hosting services and shifting IP addresses across different Autonomous System Numbers (ASNs), complicating detection and mitigation efforts. Although no confirmed exploits are currently observed in the wild, the presence of critical vulnerabilities and active scanning suggests a high risk of imminent exploitation. The use of bulletproof hosting ensures resilience against takedown attempts, enabling sustained malicious activity. The combination of mass scanning, exploitation attempts, and phishing campaigns indicates a multi-faceted approach aimed at compromising organizational networks, stealing credentials, deploying ransomware, and potentially disrupting services.

Potential Impact

European organizations, especially those in the technology and financial sectors, face significant risks from these campaigns. Successful exploitation of the critical vulnerabilities could lead to unauthorized access, data breaches, ransomware infections, and operational disruptions. Financial institutions may suffer direct financial losses and reputational damage, while technology companies could experience intellectual property theft and service outages. The use of phishing campaigns further increases the risk of credential compromise and lateral movement within networks. The bulletproof hosting infrastructure complicates incident response and attribution, potentially prolonging the threat actors' presence. Given the critical nature of the vulnerabilities and the sophistication of the threat actors, the overall impact could be severe, affecting confidentiality, integrity, and availability of critical systems. Additionally, the dynamic nature of the threat actors' infrastructure and tactics may challenge existing security controls and detection mechanisms, increasing the likelihood of successful attacks.

Mitigation Recommendations

1. Implement proactive network monitoring to detect unusual scanning activities originating from Proton66 ASN IP ranges and related bulletproof hosting IPs. 2. Prioritize patching of all critical vulnerabilities listed (CVE-2024-10914, CVE-2024-55591, CVE-2024-41713, CVE-2025-24472, CVE-2025-0108) even if no direct exploit is observed, as these are actively targeted. 3. Deploy advanced email filtering and phishing detection solutions tailored to identify campaigns linked to Proton66 and SuperBlack ransomware operators. 4. Utilize threat intelligence feeds to update firewall and intrusion prevention system (IPS) rules to block traffic from known malicious IPs and ASNs associated with Proton66 and bulletproof hosting. 5. Conduct regular security awareness training focused on phishing and social engineering tactics used by these actors. 6. Implement network segmentation and least privilege access controls to limit lateral movement in case of compromise. 7. Employ endpoint detection and response (EDR) solutions capable of identifying exploit attempts and ransomware behaviors. 8. Collaborate with national Computer Emergency Response Teams (CERTs) and share threat intelligence to enhance collective defense. 9. Monitor underground forums and threat intelligence sources for updates on Proton66 infrastructure changes and emerging tactics to adapt defenses promptly.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-1-mass-scanning-and-exploit-campaigns/"]
Adversary
Proton66

Indicators of Compromise

Ip

ValueDescriptionCopy
ip193.143.1.33
ip45.134.26.124
ip45.134.26.38
ip45.134.26.80
ip45.134.26.81
ip45.140.17.21
ip45.140.17.98
ip91.212.166.65
ip193.143.1.64
ip193.143.1.65
ip193.143.1.78
ip45.134.26.104
ip45.134.26.199
ip45.134.26.8
ip45.135.232.103
ip45.135.232.108
ip45.135.232.171
ip45.135.232.174
ip45.135.232.24
ip91.212.166.27
ip91.212.166.60
ip91.212.166.62

Cve

ValueDescriptionCopy
cveCVE-2024-10914
cveCVE-2024-41713
cveCVE-2024-55591
cveCVE-2025-0108
cveCVE-2025-24472

Threat ID: 682c992c7960f6956616a302

Added to database: 5/20/2025, 3:01:00 PM

Last enriched: 6/19/2025, 5:33:41 PM

Last updated: 8/13/2025, 12:27:17 PM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats