Cisco has struck a blow to a hacker group that interrupted a significant international revenue stream that was produced by the Angler exploit kit. The kit has been linked to several high profile malvertising/ransomware campaigns and is designed to bypass security devices and attack the largest amount of devices possible.
Cisco discovered that an excessive number of proxy servers used by the exploit kit were found on servers of Limestone Networks with the primary threat actor responsible for half of Angler exploit kit activity. It targeted up to 90,000 victims a day and brought in more than £19.5 million per year.
Action was then taken. Cisco shut down customer access by updating products to stop redirects to the Angler proxy servers; released Snort rules to expose and block checks from the health checks; published communications methods so others can protect themselves and customers; published IoCs so defenders can analyse their own network activity and block access to remaining servers; contacted affected hosting providers to shut down malicious servers.
This significant blow to the growing hacker economy can generate hundreds of millions of pounds a year, with ransomware and the black market sale of stolen IP, credit card information and personally identifiable information (PII).
In an email to SCMagazineUK.com Garve Hays, solution architect, NetIQ, the security portfolio of Micro Focus, commented: “With the revelation of this latest attack, we are seeing a rapid and proactive response to a known threat. This is something we have already seen recently with the Experian and T-Mobile breach. Reports of this most recent hack further go to show that a "Bastille" will not protect the data centre or customers. In fact, nowadays we need to think more in terms of speed of response to attack, and stop trying to hope that we can keep every bad guy out.
“The other key point here is that the criminals in this case are too lazy to research their own exploits and instead are using a toolkit. This time around their attempts were foiled, but is serves to show the barrier to entry has been lowered to the point where less skilled malefactors can make the attempt.
“Finally, it is worth noting the US $30 million (apx £20 million) figure is an estimate based on three percent of the victims paying a ransom.”