Hackers Exploit Virtual Private Servers to Breach Software-as-a-Service Accounts
In a series of recent incidents, threat actors have been observed compromising software-as-a-service (SaaS) accounts using virtual private server (VPS) services. The attacks, which have been noted to be targeted and persistent, have been linked to providers such as Hyonix, Host Universal, and Cloudflare WARP.
One such incident impacting a Darktrace customer's SaaS accounts was observed in May 2025. Many alerts were traced back to VPS provider Hyonix. Suspicious activities, including the creation of new email rules with vague or generic names to redirect or delete incoming emails, were noted.
Session hijacking occurred on two internal devices in a customer environment, with logins from IP addresses associated with VPS providers Hyonix and Host Universal. No lateral movement was detected from the compromised SaaS accounts, but multiple user devices mirrored the activity, suggesting a coordinated campaign.
Attackers are using VPS infrastructure for scalable campaigns. They have been observed attempting to modify account recovery settings and reset passwords or update security information from rare external IPs. Deletion of emails referring to invoice documents from 'Sent Items' folders was also observed, indicating an attempt to hide phishing emails.
Cloudflare WARP has also been identified as another service abused by attackers for SSH brute forcing to potentially compromise SaaS accounts. Attackers exploit its "clean" IP ranges, less likely to be blocked by firewalls, to carry out these attacks.
The affordability of these VPS services makes them attractive to attackers. Threat actors take steps to avoid detection and enable persistent access, often coinciding with legitimate user activity, making traditional security tools largely ineffective.
These actions suggest an intent to remain undetected while potentially setting the stage for data exfiltration or spam distribution. The compromised accounts are then used for follow-on phishing attacks.
In light of these developments, it is crucial for organisations to review their security measures and consider the potential risks associated with the use of VPS services. Regular audits and monitoring of account activities, coupled with robust user education, can help mitigate these threats.
