Score one for the good guys -- finally. After the seemingly endless news about sophisticated hackers taking down multinational companies and attacking the U.S. government’s personnel records, Cisco said it has managed to take down one of the largest hacking operations in the world.
The company described its actions as “a significant blow to the emerging hacker economy." The target of Cisco’s operation, which was conducted by its security unit Talos Group, was an exploit kit used by hackers around the world known as Angler. It’s one of the most used kits on the market, and has been linked to a number of hacker campaigns involving malvertising and ransomware.
World’s Most Advanced Exploit Kit
“This is the most advanced and concerning exploit kit on the market -- designed to bypass security devices and ultimately attack the largest number of devices possible,” Cisco said in a statement. Hackers have used the Angler exploit kit to steal IP and credit card info, along with personally identifiable information. That sort of stolen data can then be sold on the black market for millions of dollars.
The company found that an inordinate number of proxy servers used by Angler were located on servers of hosting company Limestone Networks out of Dallas, Texas, with the main threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30 million annually. "This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60 [million] annually," Cisco said.
Because of its popularity as a tool among hackers and its involvement in a number of high-profile attacks, Angler has been on the radar of security experts for quite some time. Talos decided to analyze the exploit kit’s telemetry data to see if it could learn more about the nature of the threat, according to Cisco.
To block the attacks, Talos updated products to prevent redirects to the Angler proxy server and patched the vulnerabilities Angler used. That blocked communication between command-and-control and the affected machines. The company also published information on communication protocols and other telltale signs of Angler activity so that other parties can defend themselves from attacks in the future.
One Server Monitoring 147
Angler is constructed in a proxy/server configuration, with a single exploit server responsible for serving malicious activity through multiple proxy servers, according to Cisco. The proxy server is the system that users communicate with, allowing the hackers to quickly pivot and change while still shielding the exploit server from identification and exposure.
The configuration also consists of a monitoring server that gathers information about the hosts that are being served exploits, and remotely erases the log files once they have been fetched. Cisco was able to access that monitoring server, which was what allowed the company to determine the scope of the campaign.
Talos discovered that just one such monitoring server had been responsible for monitoring 147 different proxy servers over one month, generating more than $3 million. Much of that activity consisted of ransomeware campaigns, in which an attacker is able to infiltrate a target computer, lock access to it, and threaten to permanently delete all of its files if the machine’s owner does not pay the ransom.
Posted: 2015-10-09 @ 10:21pm PT
Good work Cisco - find them, prosecute them and put them in prisons without computers.