Cisco has disrupted an international exploit kit that was taking in approximately $30 million per year via high-profile malvertising and ransomware campaigns.
Exploit toolkits are software suites that take advantage of vulnerabilities for the sole purpose of spreading malware, often targeting browsers, plug-ins, and programs that a website can use through the browser. The Angler Exploit Kit "is one of the largest exploit kits found on the market," and Cisco's Talos Security Intelligence and Research Group was recently able to cut off about half of Angler's revenue stream.
During its research, Cisco "found that a large amount of Angler activity was focused with a single hosting provider, Limestone Networks," and worked with the Dallas-based company to "gather some previously unknown insight into Angler."
As Cisco-owned OpenDNS explained in a blog post, Cisco's Talos team didn't just sinkhole the domains or shut down servers.
"Talos worked with service provider Limestone Networks to obtain live disk images of the Angler servers," said OpenDNS' Stephen Lynch. "This collaboration allowed Talos researchers to observe the attack campaigns in action, providing valuable information not only on how Angler's handlers hid their operations from security researchers, but how they architected their infrastructure to ensure maximum effectiveness."
For example, a single health server monitored 147 proxy servers in one month. "The system accounted for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims per day, and generating more than $30 million annually," Talos said. "This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually."
Using proxy servers like this is not common, but it makes sense, according to OpenDNS CTO Dan Hubbard. "We're seeing criminals build up these sophisticated proxy networks so they can scale linearly, much like a CDN or a real web service. Not only can any of these proxies be taken down without affecting service, but it allows them to obfuscate their true infrastructure. While you may think 'that's the command-and-control server,' actually it's not. It's just an intermediary between the proxy servers and the real command-and-control or exploit server."
As a result, Cisco's takedown "is a significant blow to the emerging hacker economy where ransomware and the black market sale of stole IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually," the Cisco Talos said.