Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

International Exploit Kit Angler Thwarted By Cisco Security Team 36

An anonymous reader writes: Researchers at a Cisco security unit have successfully interrupted the spread of a massive international exploit kit which is commonly used in ransomware attacks. The scientists discovered that around 50% of computers infected with Angler were connecting with servers based at a Dallas facility, owned by provider Limestone Networks. Once informed, Limestone cut the servers from its network and handed over the data to the researchers who were able to recover Angler authentication protocols, information needed to disrupt future diffusion.
This discussion has been archived. No new comments can be posted.

International Exploit Kit Angler Thwarted By Cisco Security Team

Comments Filter:
  • Fraud detection? (Score:2, Informative)

    by Anonymous Coward

    "The servers had been hired by cybercriminals using stolen payment details."

    Regardless of what was hosted on those servers, how did Limestone allow that many fraudulent accounts to get through? (rhetorical question btw...revenue is revenue if you know what I mean, wink wink)

    Btw, here's a very good in-depth description of Angler (i.e. yet another Microsoft Windows exploit):
    https://blogs.sophos.com/2015/... [sophos.com]

    • by Anonymous Coward

      "The servers had been hired by cybercriminals using stolen payment details."

      Regardless of what was hosted on those servers, how did Limestone allow that many fraudulent accounts to get through? (rhetorical question btw...revenue is revenue if you know what I mean, wink wink)

      Back to reality.. that's not really how it works. This is not revenue when you have to refund in a week after these proxy servers have used terabytes of bandwidth, techs have spent hours provisioning the server, handling abuse associated with the fraud servers, etc. The providers hosting angler and other botnets are getting ripped off the same way the users downloading it are.

  • The published Angler nginx proxy server configuration contains

    deny 150.26.0.0/16;

    That block belongs to the Japanese "Ministry of Agriculture,Forestry and Fisheries - Agriculture,Forestry and Fisheries Research Council". I wonder what the story is behind that.

    • by kbonin ( 58917 )

      Its common for intelligence organizations to label their IP block with other gov org names. Many of the SSH brute force scans I bothered to look up a few years ago originated from IP blocks owned by "China Railway Telecommunications Center".

    • They are in charge of Gundam:
      http://entertainment.slashdot.... [slashdot.org]

      They were likely just monitoring the botnet to ensure it wasn't used to deface the wiki article.
    • Not sure what the story is, but it sounds kind of fishy to me.
      • by KGIII ( 973947 )

        Two thirds of "pun" is "P-U." (Best said aloud.) Either way, that was wrong and you should feel bad. Cod as my witness, if you do that again, I'll beat you until you flounder on the floor. You dirty bass-tard.

        *sighs*

        I'm not proud.

    • by vvaduva ( 859950 )

      It's probably address space shared by Yakuza too. Someone learned a lesson the hard way

    • That block belongs to the Japanese "Ministry of Agriculture,Forestry and Phisheries - Agriculture,Forestry and Phisheries Research Council".

      FTFY

  • by Anonymous Coward

    When did Cisco become law enforcement? The research is interesting, but vigilante justice is kind of frowned upon here.

    • by MagickalMyst ( 1003128 ) on Tuesday October 06, 2015 @11:52AM (#50670809)
      "vigilante justice is kind of frowned upon here."

      Understandable.

      But what is the alternative? File a police report and wait for them to do something about it?
    • Re: (Score:2, Informative)

      by Anonymous Coward
      Exactly what kind of 'vigilante justice' are you talking about? There was no such thing in the articles. Cisco informed a service provider they were hosting proxy servers that were part of a malware distribution scheme. Service provider shut down the servers and handed logs to Cisco. Totally their right to do so, and nothing out of the ordinary here.
      • by KGIII ( 973947 )

        It's just misinformed whinging for the sake of whinging. We used Cisco gear. We replaced it with Juniper because it was much less expensive.

  • by Gravis Zero ( 934156 ) on Tuesday October 06, 2015 @11:30AM (#50670683)

    yes, it was interrupted but was this a non-maskable interrupt? ;)

  • Obviously Limestone still have problem customers, but actually taking action is new for them based on my past experiences with many, many ignored abuse reports. Have they cleaned up their act recently, or are they still a ghetto and we should operate under the assumption Cisco did some arm twisting to make this happen?
    • by pci ( 13339 )

      I'm going to hazard a guess that law enforcement was involved, otherwise I doubt any ISP would just hand over data.

      I'm just paranoid enough to assume most large US corporate funded security research teams are in daily, if not weekly, contact with authorities.

  • they've been a spam haven for years. LARTS to them usually get ignored, so I ended up firewalling them a long time ago.

Most public domain software is free, at least at first glance.

Working...