Uncooperative Russian ISP Prevents Cisco From Shutting Down Cybercriminal Gang 122
An anonymous reader writes: Cisco's Talos research team has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware.
Re: It would collapse US company profits. (Score:1)
Block all traffic to/from Russia and China. (Score:5, Insightful)
Re: (Score:3, Funny)
Where is Donald Trump when you need him?
Re: (Score:2, Funny)
Where is Donald Trump when you need him?
Building a wall around the internet... it's gonna be Huuuuuge!
Re: (Score:1)
Trump claims he's great at building things, I say we find out. Give him a bag of cement, bricks and a trowel and tell him to get to it. Let's see how he does.
Otherwise, what he really means is that he's good at telling other people to build so he doesn't have to.
Re: (Score:3)
I'd add: he's good at telling other people to build things with other people's money, so if the first other people screw up, the second other people are the ones losing their shirts, not him.
That's the key to getting ultra-rich these days, especially in Wall Street - take a profit/bonus when things are good, let someone else take the loss when they are bad. Building something tangible along the way is incidental, and in fact usually just a distraction.
Re:Block all traffic to/from Russia and China. (Score:5, Interesting)
I run my own firewall and I actually did block, among some other areas, everything East from my country, including Russia. Whole of Asia, Africa, South America and Australia. The average attack attempts to my web servers dropped from hundreds per week to a couple per week. It's also really nice how you can block inbound and outbound or just inbound traffic.
Re:Block all traffic to/from Russia and China. (Score:5, Interesting)
I run my own firewall and I actually did block, among some other areas, everything East from my country, including Russia. Whole of Asia, Africa, South America and Australia. The average attack attempts to my web servers dropped from hundreds per week to a couple per week. It's also really nice how you can block inbound and outbound or just inbound traffic.
And yet you let through traffic from the USA? The number one source of internet attacks?
http://www.statista.com/statis... [statista.com]
Re: (Score:3)
Irrelevant when his stats proved that his measures are what were needed.
which the actual stats call into question
Re: (Score:2)
Re: (Score:3)
I'd miss all the insane dashcam and drunk Russian videos, though. :(
Re: (Score:2)
Eh, they are all hosted on Youtube, anyway. Let Google be your proxy...
Re: (Score:2)
It's not their job to police their customers (Score:1)
"This particular group used a series of security vulnerabilities, but most of the time, it was using the CVE-2015-5119 flaw in Flash, which allowed the group to compromise computers and later infect them with spambots. Cisco reports that, in most cases, the main payload was the Tofsee spambot variant, which infected Windows machines via Internet Explorer."
That would make the ISP responsible for investigating Cisco's claim (which may be false), which means they'd have to hire techs and so on. If they shut th
Re:It's not their job to police their customers (Score:4)
Cisco would be better suing the ISP for the sites details, and then suing the site owners in the court.
In Russian courts. Good luck with that. The hackers are probably protected and/or financed by the Russian mafia, which means they are effectively protected by the Russian government.
They are better off convincing US or EU organizations the ISP is refusing to shut down known criminals, and getting the ISP blocked from Western countries/ISPs. Like most things of this nature, morality and politics are useless, it's only going to be fixed when it affects their wallet...
Re: It's not their job to police their customers (Score:1)
In Russian courts. Good luck with that.
Have those researchers ever tried to contact Roscompozor?
who made cisco police, judge, and jury? (Score:2, Insightful)
cisco is not responsible for policing the net, nor is it legally able to interpret law, and has no power whatsoever to enforce it. this seems to be pure vigilantism at best , and no different from actions of a criminal gang at worst.
let legitimate law enforcement do their job following due process. if they are behind the times that a function of freedom and speed of progress.
should any one trust cisco? same that allows and cooperates with the illegal surveillance by nsa etc?
Re: (Score:1)
The difference is the Russian government doesn't even bother hiding its support for the Russian oligarchy aka mafia.
But the real question is, why that did not concern you in 1990s, when Russia resembled the oligarchy/mafia-run state the most? Some sort of a 15-years lag in perception? I remember talking to Americans in early 2000s and they believed Russia was about the Communism. Now it's 2016 and you believe Russia is about the Oligarchy/Mafia. Hopefully you learn something in the next 15 years. ;-)
Re: (Score:1)
I can only suggest that you not take your limited exposure and extrapolate it to make assumptions based on everyone. That's not a very good method for drawing reasonable conclusions.
Re: (Score:1)
I can only suggest that you not take your limited exposure and extrapolate it to make assumptions based on everyone. That's not a very good method for drawing reasonable conclusions.
Surely. And I can only humbly suggest that you more better appreciate sarcasm.
Re: (Score:2)
"cisco is not responsible for policing the net, nor is it legally able to interpret law, and has no power whatsoever to enforce it."
And even if it had, it would be in USA. Russia, you know, is a different country, with different authorities and different laws. What would your average USA company do if it recieved a requirement from a private company from another country but exactly the same?
Web developers and website owners: (Score:2)
Remember this when I leave your website or refuse to turn off my ad blockers.
Re: (Score:3)
It does not matter what does it host, be it CP, Mein Kampf or just a botnet. It either cooperates with Roskomnadzor, FSB and Department R (Or maybe K, I cannot remember) in catching or at least suppression of criminals, or loses it's license.
Holidays (Score:4, Informative)
You won't find any Russian business that would respond to inquiries this week (with the exception of employees working from home even though they shouldn't). Reason: all Russians have official holidays that started on January 1 and will end on January 11.
Re: (Score:2)
Re:Holidays (Score:4, Informative)
TFA shows that researching the malware was done during the months of September and October 2015. It seems unlikely they would wait until New Years to contact the ISP.
Adblock folks (Score:5, Insightful)
I tell everyone I know to use them.
Advertisers either fix your shit or loose out? If you can't regulate yourselves in regards to 3rd party networks and ethical ads then you will be out of business.
Fact of the matter is it is too dangerous to run without one. That should go right up there with browsing the net as administrator or root and using IE 6 these days.
Also for those who say they are safe as long as they don't click or run anything, all I can say is told you so! Open a page with flash and your 0wned. Simple
Re: (Score:1)
Absolutely. You, and your business, should do exactly that.
Re:Corruptionstan... (Score:4, Funny)
If you cannot contact an ISP, you can contact Roskomnadzor. If you cannot contact Roskomnadzor you always can contact a FSB (KGB) because it's FSB that ultimately manages our information security and is basically somehow immune to bribes. Especially if you are Cisco.
Come on (Score:5, Funny)
Russia needs the money. Even the president can't afford a shirt.
Re: (Score:1)
Does USA have enough gold and other valuables to exchange for all dollars it has ever issued? And how can you be sure that it's a gold and not a gold-plated tungsten?
Re: (Score:2)
Why are you even asking? It's the 21st century, not the 19th.
One other thing: whooooosh!
Re: (Score:1)
How can you be sure? Well, you could try measuring it and then weighing it. 'Snot really complicated. Tungsten, by volume, has a different weight than gold. That's why you're not in charge.
Good luck with that (Score:5, Insightful)
Bet a hundred quatloos that this so-called "ISP" are the malware peddlers themselves. Either that, or they know fully well who their customers are, and they interpret Cisco's communications as nothing more than a request to shut down a well paying customer.
This is not a unique phenomenon. This is a fairly common reaction to abuse and spam complaints. You want us to shut down a paying customer? Why would we want to do that?
The key to effectively deal with network abuse is to make the responsible party understand that it's in their best interest to do that. Otherwise they stand to lose more than they are profiting from network abuse. As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags, else their entire network gets blacklisted and they lose more, as their other, non-spamming pissed off customers flee to other providers, in order to be able to send mail.
The same thing here. Presuming that this is a bone-fide provider, and not a sock puppet for the malware peddlers, the appropriate step of action is to escalate to their upstream, and attempt to get their cooperation, and have them agree to terminate the circuit to their rogue downstream provider, unless they get rid of the spamware peddlers. And keep escalating upstream, as far as necessary. Now, we're talking Cisco here, right? Well, it shouldn't take long before Cisco ends up talking to someone that uses their hardware in their core business. At this point, it's now going to be up to Cisco to put up and shut up, and inform their customer that unless this is dealt with, they will respectfully decline to renew their own customer's support contracts.
Could this sequence of events actually come to fruition? Extremely unlikely, but this is the only way to effectively deal with network abuse.
Re: (Score:2)
Bet a hundred quatloos that this so-called "ISP" are the malware peddlers themselves. Either that, or they know fully well who their customers are
Yep, that would be my guess. It's by far the most likely explanation- they're either the peddlers themselves or they're partners with them.
Re: (Score:1)
Re: (Score:3)
Re: (Score:2, Insightful)
"This is not a unique phenomenon. This is a fairly common reaction to abuse and spam complaints. You want us to shut down a paying customer? Why would we want to do that?"
Why should it be any other way? Note the requestor is another company, not a legal authority, and it comes from a different country.
We should, in fact, be very much worried if it happened any different.
"As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags"
Of course yes, why
Re: (Score:3)
I let people into my house based on who I trust, recommendations from trusted sources etc. You might see that as random vigilantism but the government doesn't offer it, nor do I desire it to, provide recommendations on every individual. You don't have a legal right for your emails to reach me etc so why the hell would the lega
Re: (Score:3)
This phenomenon is called "free speech", perhaps you've heard of it. Anyone is free to say, on their web site, whether a particular sender's email should be accepted or rejected, and why. And it goes without saying that everyone else is free to either agree, or disagree and continue to use their own internal policy for email a
Re: (Score:2)
"This phenomenon is called "free speech", perhaps you've heard of it."
I certainly do.
"Anyone is free to say, on their web site, whether a particular sender's email should be accepted or rejected, and why. And it goes without saying that everyone else is free to either agree, or disagree and continue to use their own internal policy for email acceptance or rejectance."
Yes. And that's vigilantism, and it usually ends the way it usually ends.
My (strong) bet is that, if you are using any kind of blacklisting s
Re: (Score:2)
You call it "vigilantism", I call it free speech.
So, you think you know more about someone who employs blacklisting, then they themselves. There's a word for that too. Actually two words: "arrogant elitism". You think you're smarter than everyone else, and that you know more about blacklists then the individual organizations who use them. That is, of course, a height of arrogance.
N
Re: (Score:2)
"So, you think you know more about someone who employs blacklisting, then they themselves."
Yes, I do. You see, I said "my (strong) bet": I'm pretty confident, not sure.
"There's a word for that too. Actually two words: "arrogant elitism"."
No, a single word is good enough: "experience". I usually work on email exchange platforms (not Microsoft Exchange, but SMTP hubs and smarthosts) and since my experience has been most postmasters using blacklists don't exactly know what emails are denying and why, bettin
Re: (Score:2)
And how exactly did you determine the state of their mind, and what they do or do not know?
"Gee, all of a sudden my mail server acquires this mysterious configuration setting that rejects mail from all IP addresses on this particular blacklist. I have absolutely no idea where it came from..."
Re: (Score:2)
"And how exactly did you determine the state of their mind, and what they do or do not know?"
Just like any other would do: interacting with them and paying attention both at their discourse and their facts.
"Gee, all of a sudden my mail server acquires this mysterious configuration setting that rejects mail from all IP addresses on this particular blacklist. I have absolutely no idea where it came from..."
That's basically the case more times than not. Long story short, too many times it goes more or less li
Re: (Score:2)
We're missing a lot of information here. Did Cisco email them in Russian? Did they ask nicely or post demands? Did they provide any evidence in the email?
Depending on the nature of the bad guys, we also have to consider that there could be consequences well beyond loss of a few accounts if they shut them down.
Re: (Score:2)
The key to effectively deal with network abuse is to make the responsible party understand that it's in their best interest to do that. Otherwise they stand to lose more than they are profiting from network abuse. As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags, else their entire network gets blacklisted and they lose more, as their other, non-spamming pissed off customers flee to other providers, in order to be able to send mail.
The problem is that punishment is so severe that other ISPs will be very reluctant to use it so it's basically an empty threat.
Traffic degradation, reducing the bandwidth for packets directed towards misbehaving ISPs, now that's a little easier to sell and could again be very effective.
Of course this is running right into the net neutrality debate and goes under the heading of "be careful what you wish for". We want to shut down the cybercriminals, others want to shut down the torrent servers, and some even
There is a saying in Russia (Score:2)
There is a saying in Russia, which says that Russians do not give away Russians.
This is a cliche statement, which reflects the mentality of how some of the Russians are taught and trained themselves to believe of anyting non Russian related. Here is the caricature of Russian mentality which summarizes how they want to view you: https://www.facebook.com/photo... [facebook.com]
Jokes aside, in United States if somebody would want some law enforcement to give away their informers, we would say: screw you.
Re: (Score:2)
You might have to provide subtitles to that illustration to let non-Russians understand it.
Re: (Score:2)
The sign points to the grey side as 'Abroad' and the colourful side as 'Homeland'.
That's where the Russian bears live...
Re: (Score:3)
It's heartwarming to see that Russia and the US share some traits at least.
Re: (Score:2)
Is that father bear pointing to some sort of globe shaped Russian space ship? Or WTF is that supposed to be?
Re: (Score:2)
Re: (Score:2)
You know that this is asking for a "your mom" joke, right?
Re: (Score:2)
That's just beautiful. Naturally, every country in the world has their own version of this :-)
No problem (Score:2)
Just push a mod to the BGP tables. Problem goes away.
Re: (Score:1)
Email - or spam? (Score:4, Insightful)
who didn't bother answering critical emails
I don't answer critical emails either. However, if you send me nice ones, or polite ones I might even read them.
You'd think that if this was something SERIOUS for Cisco, they'd at least bother to pick up the phone - maybe even go to the effort of finding someone who spoke russian. As it is, this outfit, like everyone else on the planet probably gets spammed senseless. Especially through public email addresses. Who can blame someone for ignoring emails from unsolicited sources?
To sum up, this sounds like the lazy excuse of an indolent individual: Why haven't you done X? asks the boss. "Well I sent them an email, but they never replied" whines the guy who just wants to get back to playing Facebook.
Re: (Score:2)
Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware.
When stupid amounts of untraceable money is involved, the inside-job becomes more of a reality.
Uncooperative? (Score:2)
What autority is cisco operationg from (Score:2)
Seriously, if cisco approached me about a criminal matter I would ignore them to. They have no legal authority to demand anything from anyone.
Re: (Score:2)
No one is obliged to accept their packets, and anyone is entitled to take Cisco's advice if they so choose.
The point isn't that they should obey Cisco, but that they should not want to host criminal activity, and if informed of it they should investigate and take action if warranted. Furthermore, it is in their interest to do so, since otherwise other networks will stop exchanging packets with them, and their non-criminal clients will be disadvantaged and leave. Of course, that assumes they have non-crimina
It's still holidays in Russia (Score:1)
Is anyone surprised? (Score:2)
If anyone is surprised the Russians don't respond to close down hackers emanating from within their borders, they've been living under a rock for the last decade. This is what Russia is now known for, other than collapsing economy and a ruble not far behi
46.30.40.0/21 (Score:3)
Eurobyte operate a fairly big block rented from Webazilla, which is 46.30.40.0/21.. and I recommend that you block traffic to that entire lot. But a lot of Webazilla's other customer [he.net] are pretty shitty too. I don't think you miss much if you blocked traffic to the entire AS35415.
sounds like standard ISP behaviour (Score:2)
It's called bulletproof hosting (Score:3)
and nothing new. You pay a little premium not to be disconnected as soon as somebody sends a legal request. Not reacting to something like that is what their customer pays for.
Re: (Score:3)
What did Canada do to end up on that list?
The only thing I can see in common in those three is that they consistently whoop the US's ass in ice hockey.
Re: (Score:2, Informative)
No, blame Canada, blame Canada
With all their beady little eyes
And flappin' heads so full of lies
Blame Canada, blame Canada
We need to form a full assault
It's Canada's fault