Analytics

10/6/2015
01:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Disrupt Angler Exploit Kit, Ransomware Operation

Cisco Talos Group estimates Angler is making $60 million per year from ransomware alone.

Cisco Talos Group has disrupted the operations and compromised the infrastructure used by the operators of the popular Angler Exploit Kit, "the most effective exploit kit that Talos has seen." Angler is principally delivering the TeslaCrypt and CryptoWall ransomware, and generating approximately $60 million per year on ransomware alone, researchers estimte. 

Talos, collaborating with OpenDNS and Level 3 Threat Research, investigated Angler's telemetry data and found that a large amount of its activity was being generated within a single provider, Limestone Networks. Working with Limestone Networks, the researchers obtained live disk images of Angler servers to watch the campaign in action.

Through July, they observed activity from one exploit server and one health monitoring server, which performed health checks on host machines and remotely erased log files on hosts. They discovered that Angler operators were extensively using proxy servers to hide their infrastructure from investigators -- the one health monitoring server monitored 147 proxies.

Another way Angler has managed to evade security teams is its use of referers. According to the report, researchers found "more than 15,000 unique sites pushing people into the exploit kit, 99.8% percent of which were used less than ten times, illustrating the low frequency. That means that the majority of referers were only active for a short period of time and were removed after a handful of users were targeted. This is one of the features that makes Angler so difficult to hunt."

One primary actor is responsible for 50 percent of Angler's activity, and making over $30 million per year from ransomware alone, according to researchers, who therefore estimate that Angler overall could be generating $60 million from ransomware.

In response to these findings, Cisco contacted affected hosting providers so they could shut down servers, updated its products to stop redirects to Angler proxies (thereby cutting off Anglers' access to Cisco customers), released Snort rules to detect and block checks from health monitoring servers, and published indicators of compromise.  

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20165
PUBLISHED: 2019-03-22
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
CVE-2019-1716
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability ...
CVE-2019-1763
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exist...
CVE-2019-1764
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections for the ...
CVE-2019-1765
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an authenticated, remote attacker to write arbitrary files to the filesystem. The vulnerability is due to insufficient input validation and file-level permis...