Research reveals mass scanning and exploitation campaigns

Trustwave cybersecurity researchers discovered a rise in “mass scanning, credential brute forcing, and exploitation attempts” coming from an IP addresses connected with a Russian bulletproof hosting service provider, Proton66. This activity was detected on January 8, 2025, and has been targeting organizations globally. 

Security leaders weigh in 

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security: 

The broad range and intensity of cyberattacks facilitated by Proton66 demonstrates why organizations need layered cybersecurity defenses. The activities stemming from Proton66 include vulnerability scanning, credential brute forcing, exploit attempts and phishing campaigns that mimic reputable WordPress sites, Google Play Store app listings and chat rooms.

Security and IT teams should view these threats as a stark reminder of the many methods by which attackers can target their organizations. Companies should also have security event monitoring in place to detect and analyze privilege escalations so that anomalous behavior can be detected and blocked. All organizations should take a proactive approach to regularly update all software and immediately patch vulnerabilities that are being actively exploited in the wild.

Strong identity management is essential in defending against brute force attacks by enforcing strong, unique passwords and implementing Multi-Factor Authentication (MFA). MFA adds another vital layer of security, making it significantly harder for attackers to gain access even if they crack a password. One of the most effective ways to protect sensitive systems is through Privileged Access Management (PAM), which ensures that high-risk accounts undergo regular password rotation. This reduces the window of opportunity for attackers to exploit stolen credentials.

Organizations should also ensure they have basic precautions including an endpoint protection platform, web filtering and email protection in place. Best practices should also include regular employee education to limit the influence of human error. Employees should be trained to recognize phishing attempts, malicious attachments, suspicious links and other common threats. 

Trey Ford, Chief Information Security Officer at Bugcrowd: 

The internet can be a noisy neighborhood, and on occasion, we’ve found miscreants who do not care to vary their source IPs — for a variety of reasons. IP addresses are not durable indicators, as varying scan sources is inexpensive — so this may speak to the effort level, professionalism, or funding level of the actors.

Obviously internet exposed services need to be hardened, and patched ruthlessly — they’re exposed and accepting requests from anywhere allowed... maintaining blocklists for IPs like this at scale is largely wasted energy.

The account brute forcing reminds us of the importance of maintaining velocity checks monitoring attempted login activity from singular IP addresses, net blocks and even user-agent strings. CAPTCHA tools vary in capability, so ultimately, we should be aiming to drive up the cost and complexity of attacker activity beyond the reach of lazy attack patterns like those being flagged here.