Slashdot Mirror
Uncooperative Russian ISP Prevents Cisco From Shutting Down Cybercriminal Gang
An anonymous reader writes: Cisco's Talos research team has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware.
I'm pretty sure I would never even notice, and the internet would be a safer place.
"This particular group used a series of security vulnerabilities, but most of the time, it was using the CVE-2015-5119 flaw in Flash, which allowed the group to compromise computers and later infect them with spambots. Cisco reports that, in most cases, the main payload was the Tofsee spambot variant, which infected Windows machines via Internet Explorer."
That would make the ISP responsible for investigating Cisco's claim (which may be false), which means they'd have to hire techs and so on. If they shut the site down, and Cisco are wrong, they would face liability.
Cisco would be better suing the ISP for the sites details, and then suing the site owners in the court.
*However*, this is a flash exploit and an Internet Explorer exploit, and the fix is for Adobe and Microsoft to fix their shit, because even if the ISP does shut this down, it will be like playing wack-a-mole. As long as the vulnerability exists, it will be exploited, not just by spammers but by malicious governments like UK and US, China, Russia the lot.
cisco is not responsible for policing the net, nor is it legally able to interpret law, and has no power whatsoever to enforce it. this seems to be pure vigilantism at best , and no different from actions of a criminal gang at worst.
let legitimate law enforcement do their job following due process. if they are behind the times that a function of freedom and speed of progress.
should any one trust cisco? same that allows and cooperates with the illegal surveillance by nsa etc?
Remember this when I leave your website or refuse to turn off my ad blockers.
You won't find any Russian business that would respond to inquiries this week (with the exception of employees working from home even though they shouldn't). Reason: all Russians have official holidays that started on January 1 and will end on January 11.
I tell everyone I know to use them.
Advertisers either fix your shit or loose out? If you can't regulate yourselves in regards to 3rd party networks and ethical ads then you will be out of business.
Fact of the matter is it is too dangerous to run without one. That should go right up there with browsing the net as administrator or root and using IE 6 these days.
Also for those who say they are safe as long as they don't click or run anything, all I can say is told you so! Open a page with flash and your 0wned. Simple
http://saveie6.com/
Russia needs the money. Even the president can't afford a shirt.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Bet a hundred quatloos that this so-called "ISP" are the malware peddlers themselves. Either that, or they know fully well who their customers are, and they interpret Cisco's communications as nothing more than a request to shut down a well paying customer.
This is not a unique phenomenon. This is a fairly common reaction to abuse and spam complaints. You want us to shut down a paying customer? Why would we want to do that?
The key to effectively deal with network abuse is to make the responsible party understand that it's in their best interest to do that. Otherwise they stand to lose more than they are profiting from network abuse. As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags, else their entire network gets blacklisted and they lose more, as their other, non-spamming pissed off customers flee to other providers, in order to be able to send mail.
The same thing here. Presuming that this is a bone-fide provider, and not a sock puppet for the malware peddlers, the appropriate step of action is to escalate to their upstream, and attempt to get their cooperation, and have them agree to terminate the circuit to their rogue downstream provider, unless they get rid of the spamware peddlers. And keep escalating upstream, as far as necessary. Now, we're talking Cisco here, right? Well, it shouldn't take long before Cisco ends up talking to someone that uses their hardware in their core business. At this point, it's now going to be up to Cisco to put up and shut up, and inform their customer that unless this is dealt with, they will respectfully decline to renew their own customer's support contracts.
Could this sequence of events actually come to fruition? Extremely unlikely, but this is the only way to effectively deal with network abuse.
There is a saying in Russia, which says that Russians do not give away Russians.
This is a cliche statement, which reflects the mentality of how some of the Russians are taught and trained themselves to believe of anyting non Russian related. Here is the caricature of Russian mentality which summarizes how they want to view you: https://www.facebook.com/photo...
Jokes aside, in United States if somebody would want some law enforcement to give away their informers, we would say: screw you.
What did Canada do to end up on that list?
The only thing I can see in common in those three is that they consistently whoop the US's ass in ice hockey.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If you cannot contact an ISP, you can contact Roskomnadzor. If you cannot contact Roskomnadzor you always can contact a FSB (KGB) because it's FSB that ultimately manages our information security and is basically somehow immune to bribes. Especially if you are Cisco.
Just push a mod to the BGP tables. Problem goes away.
Have gnu, will travel.
It does not matter what does it host, be it CP, Mein Kampf or just a botnet. It either cooperates with Roskomnadzor, FSB and Department R (Or maybe K, I cannot remember) in catching or at least suppression of criminals, or loses it's license.
who didn't bother answering critical emails
I don't answer critical emails either. However, if you send me nice ones, or polite ones I might even read them.
You'd think that if this was something SERIOUS for Cisco, they'd at least bother to pick up the phone - maybe even go to the effort of finding someone who spoke russian. As it is, this outfit, like everyone else on the planet probably gets spammed senseless. Especially through public email addresses. Who can blame someone for ignoring emails from unsolicited sources?
To sum up, this sounds like the lazy excuse of an indolent individual: Why haven't you done X? asks the boss. "Well I sent them an email, but they never replied" whines the guy who just wants to get back to playing Facebook.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Sounds like the ISP is very cooperative, just not with who the submitter would like.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Seriously, if cisco approached me about a criminal matter I would ignore them to. They have no legal authority to demand anything from anyone.
No, blame Canada, blame Canada
With all their beady little eyes
And flappin' heads so full of lies
Blame Canada, blame Canada
We need to form a full assault
It's Canada's fault
Entire 1-10 January is holiday due to weekends configuration this year. Almost noone works while it happens. So obviously noone is available to respond to Cisco complaints either.
Who do you think hit the Ukrainian power network the other week? Who do you think regularly attacks Ukrainian government web sites? Who do you think allows the army of Russian trolls located in St. Petersburg to remain active to spew their nonsense?
If anyone is surprised the Russians don't respond to close down hackers emanating from within their borders, they've been living under a rock for the last decade. This is what Russia is now known for, other than collapsing economy and a ruble not far behind. They have nothing else and the only way to take their minds off the problems Heir Putin has created is to blame someone, anyone, for their self-inflicted problems.
After all, they need to do something to cover up the roughly 2,000 dead Russian soldiers who have died invading Ukraine, the money they're losing as Putin tries to prop up the dictator Assad, not to mention the terrorists in East Ukraine who have literally destroyed everything they touch. As Russia begins to run out of money towards the end of this year, be prepared for an even bigger onslaught of trolls as their desperation becomes frenetic.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Eurobyte operate a fairly big block rented from Webazilla, which is 46.30.40.0/21.. and I recommend that you block traffic to that entire lot. But a lot of Webazilla's other customer are pretty shitty too. I don't think you miss much if you blocked traffic to the entire AS35415.
Never email donotemail@WeAreSpammers.com
We see the same behaviour regardless of country. In Australia the only way we were able to get anything more than a generic response was by reporting it through ASD, With the US we have never managed to get a response from ISP's there, we just forward to the US authorities now and hope they deal with it. Basically unless you are coming through the local government then you are fucked getting just about ANY ISP to do anything useful.
Absolutely. You, and your business, should do exactly that.
"So long and thanks for all the fish."
and nothing new. You pay a little premium not to be disconnected as soon as somebody sends a legal request. Not reacting to something like that is what their customer pays for.
No Russian criminals aren't smarter, they just don't have federal groups throwing them in jail so they can get away with more.