The Federal Bureau of Investigation (FBI) disclosed that about 25 ransomware groups used a criminal VPN service known as ‘First VPN Service’ to conduct network intrusions, scanning operations, botnets, denial-of-service attacks, and scams. The service has been active since around 2014 across 32 exit nodes in 27 countries. It affects organizations by enabling ransomware groups and other cybercriminal actors to conduct network intrusions, reconnaissance, credential abuse, denial-of-service attacks, and broader malicious operations.
“At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions,” the FBI wrote in a recent FLASH advisory. “First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking. First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband. This reporting applies solely to the First VPN Service and does not extend to other VPN providers with similar naming.”
The revelation came alongside a coordinated international takedown of the service, led by French and Dutch cybercrime units with support from Ukraine, the U.K., Switzerland, and Luxembourg. It follows from the findings that the VPN was marketed almost exclusively on prominent Russian-language dark web forums used by cybercriminals to trade stolen data, hacking tools, and unauthorized access to systems.
The alert added, “This operation was conducted by France’s Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg.”
Avaddon emerged in 2020 as a RaaS (ransomware-as-a-service) operation that relied heavily on phishing campaigns and affiliate-driven attacks targeting corporate networks, including organizations across manufacturing and other critical sectors. Back in 2023, the U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) unit identified evidence that the newer NoEscape ransomware group is likely a rebrand or successor of the now-defunct Avaddon operation, which shut down in 2021 after releasing decryption keys to victims following increased law enforcement pressure.
The agency recognizes that malicious infrastructure may be hosted on cloud or virtualized platforms where IP addresses are dynamically or ephemerally assigned. As a result, addresses associated with malicious activity may later be reassigned to non-malicious services. These indicators should therefore be interpreted as historically observed infrastructure within the identified activity window and corroborated with current network telemetry or additional intelligence sources.
FBI detailed that the First VPN Service offered several connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, and multiple encryption options, including OpenVPN ECC, L2TP/IPSec, and PPtP. Technical support was also offered to users via a self-hosted Jabber server and Telegram encrypted messaging service. Among the VPN protocol options, First VPN Service offered ‘VLESS’ and ‘Reality,’ which provides the ability to disguise VPN Internet traffic as HTTPS traffic over ports that are commonly used to connect to websites.
The MITRE ATT&CK mapping indicates that adversaries are using proxy techniques under T1090 by routing malicious traffic through VPN services such as First VPN Service to conceal the true source of their activity and evade detection mechanisms. Under T1133, threat actors are leveraging external remote services through VPN infrastructure to gain remote access into victim environments, often using valid credentials to maintain persistence or conduct follow-on operations.
The report also maps activity to T1078, showing that attackers frequently authenticate to enterprise systems with compromised accounts through VPN services, allowing malicious behavior to blend in with legitimate network activity.
The assessment further identifies activity associated with T1046, where scanning operations originating from First VPN Service-linked IP addresses are consistent with efforts to identify open ports, exposed services, and network configurations. Under T1018, the VPN infrastructure may also be used to enumerate systems inside target networks after initial access has been established.
The report additionally links the activity to T1110, noting that VPN exit nodes can support password spraying and brute-force attempts against exposed services, including SSH, RDP, and web applications. It also references T1498, highlighting that First VPN Service infrastructure has been associated with denial-of-service activity intended to disrupt operations or divert defender attention during malicious campaigns.
Organizations should implement layered defensive controls that combine network restrictions, identity-based protections, and behavioral monitoring to mitigate the risks associated with anonymization services such as First VPN Service. They are advised to block or closely monitor known First VPN Service infrastructure by deny-listing associated domains and scrutinizing related IP addresses where operationally feasible.
Security teams should continuously monitor connections to unapproved VPN infrastructure and newly identified IP addresses linked to anonymization services. The guidance also recommends implementing VPN-aware access controls by restricting authentication to corporate resources from approved networks or managed devices and enforcing conditional access policies that limit or flag logins originating from known VPN or proxy networks.
The recommendations further emphasize strengthening authentication security by requiring multi-factor authentication for all remote access services, including VPN, SSH, RDP, and cloud applications, while monitoring authentication attempts from unfamiliar IP addresses, geolocations, or autonomous systems. Organizations are encouraged to detect anomalous identity and session activity such as impossible travel events, simultaneous sessions from geographically distant regions, and changes in user-agent strings or device fingerprints associated with a single account.
The guidance also calls for hardening remote access services by limiting SSH and management interfaces to trusted IP ranges or secure access solutions such as bastion hosts and zero trust architectures, while avoiding direct exposure of management services to the public internet whenever possible.
Additionally, defenders are urged to inspect and analyze network traffic for abnormal patterns, including lateral movement, scanning activity, and command-and-control communications originating from VPN-associated infrastructure.
The advisory recommends applying least privilege principles and network segmentation to reduce the impact of unauthorized access and restrict lateral movement within networks. It also calls for regular audits of firewall configurations to close unnecessary ports and services that could expose systems to scanning or exploitation attempts. Because VPN providers often use dynamically and ephemerally assigned IP addresses, the guidance cautions against relying solely on IP-based blocking and instead recommends correlating indicators with behavioral analytics, endpoint telemetry, and identity context.
Organizations must also integrate threat intelligence feeds and monitor activity associated with known VPN, hosting, or proxy provider autonomous systems commonly linked to anonymization services.
Click Here For The Original Source.
