Slashdot Mirror

← Back to Stories (view on slashdot.org)

International Exploit Kit Angler Thwarted By Cisco Security Team

Posted by ryuzaki0 on from the prison's-too-good dept.

An anonymous reader writes: Researchers at a Cisco security unit have successfully interrupted the spread of a massive international exploit kit which is commonly used in ransomware attacks. The scientists discovered that around 50% of computers infected with Angler were connecting with servers based at a Dallas facility, owned by provider Limestone Networks. Once informed, Limestone cut the servers from its network and handed over the data to the researchers who were able to recover Angler authentication protocols, information needed to disrupt future diffusion.

36 comments

  1. Fraud detection? by Anonymous Coward · · Score: 2, Informative

    "The servers had been hired by cybercriminals using stolen payment details."

    Regardless of what was hosted on those servers, how did Limestone allow that many fraudulent accounts to get through? (rhetorical question btw...revenue is revenue if you know what I mean, wink wink)

    Btw, here's a very good in-depth description of Angler (i.e. yet another Microsoft Windows exploit):
    https://blogs.sophos.com/2015/...

    1. Re:Fraud detection? by Anonymous Coward · · Score: 0

      According to TFA, over 75% of the exploits served were for Adobe Flash.

    2. Re:Fraud detection? by Anonymous Coward · · Score: 1

      "The servers had been hired by cybercriminals using stolen payment details."

      Regardless of what was hosted on those servers, how did Limestone allow that many fraudulent accounts to get through? (rhetorical question btw...revenue is revenue if you know what I mean, wink wink)

      Back to reality.. that's not really how it works. This is not revenue when you have to refund in a week after these proxy servers have used terabytes of bandwidth, techs have spent hours provisioning the server, handling abuse associated with the fraud servers, etc. The providers hosting angler and other botnets are getting ripped off the same way the users downloading it are.

    3. Re:Fraud detection? by Anonymous Coward · · Score: 0

      Yeah, it destroyed my iPad because of Flash, then continued onto erasing my Ubuntu desktop. Unsatiated, it continued on and raped my Macbook.

      No, only Windows machines running Flash will be affected by this. Ergo, it boils down to yet another Microsoft Windows problem.

  2. Blocking the Japanese ministry of agriculture? by Halo1 · · Score: 3, Interesting

    The published Angler nginx proxy server configuration contains

    deny 150.26.0.0/16;

    That block belongs to the Japanese "Ministry of Agriculture,Forestry and Fisheries - Agriculture,Forestry and Fisheries Research Council". I wonder what the story is behind that.

    --
    Donate free food here
    1. Re: Blocking the Japanese ministry of agriculture? by Anonymous Coward · · Score: 0

      oh no!!! Gojira!!!!

    2. Re:Blocking the Japanese ministry of agriculture? by kbonin · · Score: 2

      Its common for intelligence organizations to label their IP block with other gov org names. Many of the SSH brute force scans I bothered to look up a few years ago originated from IP blocks owned by "China Railway Telecommunications Center".

    3. Re: Blocking the Japanese ministry of agriculture? by Anonymous Coward · · Score: 0

      No, Biollante would be the one from the Ministry of Agriculture.

    4. Re:Blocking the Japanese ministry of agriculture? by Kunedog · · Score: 1

      They are in charge of Gundam:
      http://entertainment.slashdot....

      They were likely just monitoring the botnet to ensure it wasn't used to deface the wiki article.

    5. Re:Blocking the Japanese ministry of agriculture? by kassay · · Score: 2

      Not sure what the story is, but it sounds kind of fishy to me.

    6. Re:Blocking the Japanese ministry of agriculture? by vvaduva · · Score: 1

      It's probably address space shared by Yakuza too. Someone learned a lesson the hard way

    7. Re:Blocking the Japanese ministry of agriculture? by sociocapitalist · · Score: 1

      That block belongs to the Japanese "Ministry of Agriculture,Forestry and Phisheries - Agriculture,Forestry and Phisheries Research Council".

      FTFY

      --
      blindly antisocialist = antisocial
    8. Re:Blocking the Japanese ministry of agriculture? by Anonymous Coward · · Score: 0

      Floor 13 (video game) :

      The player takes on the role of the Director General of the "Department of Agriculture and Fisheries", a non-existent Executive Agency that conceals a secret police which keeps the government popular by any means necessary. Answering only to the Prime Minister, the Director General has the power to use wiretapping, surveillance, smear tactics, disinformation, burglary, kidnapping, torture, and assassination to keep the government popular with the people.

    9. Re:Blocking the Japanese ministry of agriculture? by KGIII · · Score: 1

      Two thirds of "pun" is "P-U." (Best said aloud.) Either way, that was wrong and you should feel bad. Cod as my witness, if you do that again, I'll beat you until you flounder on the floor. You dirty bass-tard.

      *sighs*

      I'm not proud.

      --
      "So long and thanks for all the fish."
    10. Re:Blocking the Japanese ministry of agriculture? by Anonymous Coward · · Score: 0

      Maybe the reason they didn't want to screw with them is the fact that we can't prove a negative such as the statement released

      We Do Not have any Gundam's

      by the Japanese Ministry of Agriculture. And Yes they did publish such a statement a while back.

  3. ask ed snowden about random exploit issues by Anonymous Coward · · Score: 0

    ask ed snowden your questions on /. continues... so ed, it says in the wires you want to come home & are willing to do time? there must be a way to misconstrue that if it's even true? so that's 2 questions.. thanks ed...

    1. Re:ask ed snowden about random exploit issues by KGIII · · Score: 1

      It would be awesome if Slashdot did a Snowden interview. I'd throw some funds at it if it were possible.

      --
      "So long and thanks for all the fish."
  4. Congrats to Cisco by Anonymous Coward · · Score: 0

    It's the first time they have done something positive... ever.

  5. No encryption? by Anonymous Coward · · Score: 0

    ransomware that encrypts files and they can't encrypt their servers.

  6. Law enforcement? by Anonymous Coward · · Score: 1

    When did Cisco become law enforcement? The research is interesting, but vigilante justice is kind of frowned upon here.

    1. Re:Law enforcement? by MagickalMyst · · Score: 3, Insightful

      "vigilante justice is kind of frowned upon here."

      Understandable.

      But what is the alternative? File a police report and wait for them to do something about it?

      --
      Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    2. Re:Law enforcement? by Anonymous Coward · · Score: 2, Informative

      Exactly what kind of 'vigilante justice' are you talking about? There was no such thing in the articles. Cisco informed a service provider they were hosting proxy servers that were part of a malware distribution scheme. Service provider shut down the servers and handed logs to Cisco. Totally their right to do so, and nothing out of the ordinary here.

    3. Re:Law enforcement? by KGIII · · Score: 1

      It's just misinformed whinging for the sake of whinging. We used Cisco gear. We replaced it with Juniper because it was much less expensive.

      --
      "So long and thanks for all the fish."
  7. Pity they can't secure their routers... by Anonymous Coward · · Score: 0

    You're fooling nobody on your security track record, Cisco.

    https://www.hackread.com/cisco-routers-vulnerable-to-malware-attacks/

    1. Re:Pity they can't secure their routers... by kc0re · · Score: 1

      You mean, if you have local, or root access, you can upload a malicious image to a router? Huh. Who knew.

  8. Thanks! But, WTF? by Anonymous Coward · · Score: 0

    I really appreciate their work and that they released to Snort policies for free.

    Unfortunately, I expect that Angler v3.0 will soon be released with new proxies, ports and other persistence features. The arms race continues.

    But, 64% of victims pay an average ransom of $300? WTF is wrong with these morons? Why the fuck would you pay them? Even if I didn't have a disinfection/recovery option, which most people do, I'd sooner buy a new machine than pay $300 for this shit! WTF?

    1. Re:Thanks! But, WTF? by Anonymous Coward · · Score: 1

      Say that after you've lost the only copy you have of important documents, or videos and pictures of your children back to their birth. Yes, not having backups is *another* kind of idiocy, but I can understand how people can have digital property on their PCs so precious that they would pay a ransom to get it back.

    2. Re:Thanks! But, WTF? by KGIII · · Score: 1

      I thought you had to pay for the 'community' Snort policies? I played with it a while back (I'm just a geek - I have no expertise, use case, or anything) and found that I wasn't even able to import the definitions though they claimed I could during my trial period.

      I was, it seems, doing it wrong. That's not surprising but if I don't poke and break then I am not learning. If I am not learning then I am not growing. If I am not growing then I serve no function. If I am serve no function I have no place. If I have no place I should not consume resources. So, I try to learn and grow even if it's just to geek out on something new.

      --
      "So long and thanks for all the fish."
    3. Re:Thanks! But, WTF? by truck_soccer · · Score: 1

      Because people don't back their shit up.

  9. obvious question by Gravis+Zero · · Score: 5, Funny

    yes, it was interrupted but was this a non-maskable interrupt? ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:obvious question by MagickalMyst · · Score: 1

      :)

      (no mod points)

      --
      Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
  10. Limestone Networks taking action you say? by Zocalo · · Score: 1

    Obviously Limestone still have problem customers, but actually taking action is new for them based on my past experiences with many, many ignored abuse reports. Have they cleaned up their act recently, or are they still a ghetto and we should operate under the assumption Cisco did some arm twisting to make this happen?

    --
    UNIX? They're not even circumcised! Savages!
    1. Re:Limestone Networks taking action you say? by pci · · Score: 1

      I'm going to hazard a guess that law enforcement was involved, otherwise I doubt any ISP would just hand over data.

      I'm just paranoid enough to assume most large US corporate funded security research teams are in daily, if not weekly, contact with authorities.

    2. Re:Limestone Networks taking action you say? by Anonymous Coward · · Score: 0

      Cisco is a huge, huge provider of equipment to the US government. I would be shocked if they didn't have some form cooperation going on.

  11. Missing detail by Anonymous Coward · · Score: 0

    ...they interrupted it by plugging a cable into switch port 1.

  12. I see Limestone is still a cesspool by Indy1 · · Score: 1

    they've been a spam haven for years. LARTS to them usually get ignored, so I ended up firewalling them a long time ago.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!