Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Uncooperative Russian ISP Prevents Cisco From Shutting Down Cybercriminal Gang 122

An anonymous reader writes: Cisco's Talos research team has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware.
This discussion has been archived. No new comments can be posted.

Uncooperative Russian ISP Prevents Cisco From Shutting Down Cybercriminal Gang

Comments Filter:
  • by Anonymous Coward on Saturday January 09, 2016 @10:28AM (#51268105)
    I'm pretty sure I would never even notice, and the internet would be a safer place.
    • Re: (Score:3, Funny)

      Where is Donald Trump when you need him?

      • Re: (Score:2, Funny)

        by FatdogHaiku ( 978357 )

        Where is Donald Trump when you need him?

        Building a wall around the internet... it's gonna be Huuuuuge!

        • by sjames ( 1099 )

          Trump claims he's great at building things, I say we find out. Give him a bag of cement, bricks and a trowel and tell him to get to it. Let's see how he does.

          Otherwise, what he really means is that he's good at telling other people to build so he doesn't have to.

          • by Dahamma ( 304068 )

            I'd add: he's good at telling other people to build things with other people's money, so if the first other people screw up, the second other people are the ones losing their shirts, not him.

            That's the key to getting ultra-rich these days, especially in Wall Street - take a profit/bonus when things are good, let someone else take the loss when they are bad. Building something tangible along the way is incidental, and in fact usually just a distraction.

    • by Anonymous Coward on Saturday January 09, 2016 @11:59AM (#51268489)

      I run my own firewall and I actually did block, among some other areas, everything East from my country, including Russia. Whole of Asia, Africa, South America and Australia. The average attack attempts to my web servers dropped from hundreds per week to a couple per week. It's also really nice how you can block inbound and outbound or just inbound traffic.

      • by myowntrueself ( 607117 ) on Saturday January 09, 2016 @04:52PM (#51269655)

        I run my own firewall and I actually did block, among some other areas, everything East from my country, including Russia. Whole of Asia, Africa, South America and Australia. The average attack attempts to my web servers dropped from hundreds per week to a couple per week. It's also really nice how you can block inbound and outbound or just inbound traffic.

        And yet you let through traffic from the USA? The number one source of internet attacks?

        http://www.statista.com/statis... [statista.com]

    • by qeveren ( 318805 )

      I'd miss all the insane dashcam and drunk Russian videos, though. :(

    • yep, After all how could isolating yourself from one of the largest and fastest growing economies in the world with deep economic ties possibly affect you!
  • "This particular group used a series of security vulnerabilities, but most of the time, it was using the CVE-2015-5119 flaw in Flash, which allowed the group to compromise computers and later infect them with spambots. Cisco reports that, in most cases, the main payload was the Tofsee spambot variant, which infected Windows machines via Internet Explorer."

    That would make the ISP responsible for investigating Cisco's claim (which may be false), which means they'd have to hire techs and so on. If they shut th

    • by Dahamma ( 304068 ) on Saturday January 09, 2016 @04:08PM (#51269525)

      Cisco would be better suing the ISP for the sites details, and then suing the site owners in the court.

      In Russian courts. Good luck with that. The hackers are probably protected and/or financed by the Russian mafia, which means they are effectively protected by the Russian government.

      They are better off convincing US or EU organizations the ISP is refusing to shut down known criminals, and getting the ISP blocked from Western countries/ISPs. Like most things of this nature, morality and politics are useless, it's only going to be fixed when it affects their wallet...

  • cisco is not responsible for policing the net, nor is it legally able to interpret law, and has no power whatsoever to enforce it. this seems to be pure vigilantism at best , and no different from actions of a criminal gang at worst.
    let legitimate law enforcement do their job following due process. if they are behind the times that a function of freedom and speed of progress.

    should any one trust cisco? same that allows and cooperates with the illegal surveillance by nsa etc?

     

    • "cisco is not responsible for policing the net, nor is it legally able to interpret law, and has no power whatsoever to enforce it."

      And even if it had, it would be in USA. Russia, you know, is a different country, with different authorities and different laws. What would your average USA company do if it recieved a requirement from a private company from another country but exactly the same?

  • by Anonymous Coward

    Remember this when I leave your website or refuse to turn off my ad blockers.

  • Holidays (Score:4, Informative)

    by Anonymous Coward on Saturday January 09, 2016 @11:08AM (#51268259)

    You won't find any Russian business that would respond to inquiries this week (with the exception of employees working from home even though they shouldn't). Reason: all Russians have official holidays that started on January 1 and will end on January 11.

    • Mod the parent up. It's the same as trying to get a response from China during the Spring Festival. Russians are fully at work all the way up to mid-day 31 Dec (so to say everybody is available through Western Christmas time), then everything is dead for 10 or so days till mid-January.
    • Re:Holidays (Score:4, Informative)

      by Jiro ( 131519 ) on Sunday January 10, 2016 @12:42AM (#51271237)

      TFA shows that researching the malware was done during the months of September and October 2015. It seems unlikely they would wait until New Years to contact the ISP.

  • Adblock folks (Score:5, Insightful)

    by Billly Gates ( 198444 ) on Saturday January 09, 2016 @11:12AM (#51268277) Journal

    I tell everyone I know to use them.

    Advertisers either fix your shit or loose out? If you can't regulate yourselves in regards to 3rd party networks and ethical ads then you will be out of business.

    Fact of the matter is it is too dangerous to run without one. That should go right up there with browsing the net as administrator or root and using IE 6 these days.

    Also for those who say they are safe as long as they don't click or run anything, all I can say is told you so! Open a page with flash and your 0wned. Simple

  • Come on (Score:5, Funny)

    by Hognoxious ( 631665 ) on Saturday January 09, 2016 @11:22AM (#51268323) Homepage Journal

    Russia needs the money. Even the president can't afford a shirt.

    • Does USA have enough gold and other valuables to exchange for all dollars it has ever issued? And how can you be sure that it's a gold and not a gold-plated tungsten?

      • Does USA have enough gold and other valuables to exchange for all dollars it has ever issued?

        Why are you even asking? It's the 21st century, not the 19th.

        One other thing: whooooosh!

      • by KGIII ( 973947 )

        How can you be sure? Well, you could try measuring it and then weighing it. 'Snot really complicated. Tungsten, by volume, has a different weight than gold. That's why you're not in charge.

  • by mrsam ( 12205 ) on Saturday January 09, 2016 @11:28AM (#51268339) Homepage

    Bet a hundred quatloos that this so-called "ISP" are the malware peddlers themselves. Either that, or they know fully well who their customers are, and they interpret Cisco's communications as nothing more than a request to shut down a well paying customer.

    This is not a unique phenomenon. This is a fairly common reaction to abuse and spam complaints. You want us to shut down a paying customer? Why would we want to do that?

    The key to effectively deal with network abuse is to make the responsible party understand that it's in their best interest to do that. Otherwise they stand to lose more than they are profiting from network abuse. As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags, else their entire network gets blacklisted and they lose more, as their other, non-spamming pissed off customers flee to other providers, in order to be able to send mail.

    The same thing here. Presuming that this is a bone-fide provider, and not a sock puppet for the malware peddlers, the appropriate step of action is to escalate to their upstream, and attempt to get their cooperation, and have them agree to terminate the circuit to their rogue downstream provider, unless they get rid of the spamware peddlers. And keep escalating upstream, as far as necessary. Now, we're talking Cisco here, right? Well, it shouldn't take long before Cisco ends up talking to someone that uses their hardware in their core business. At this point, it's now going to be up to Cisco to put up and shut up, and inform their customer that unless this is dealt with, they will respectfully decline to renew their own customer's support contracts.

    Could this sequence of events actually come to fruition? Extremely unlikely, but this is the only way to effectively deal with network abuse.

    • Bet a hundred quatloos that this so-called "ISP" are the malware peddlers themselves. Either that, or they know fully well who their customers are

      Yep, that would be my guess. It's by far the most likely explanation- they're either the peddlers themselves or they're partners with them.

    • The first question is why Cisco is even doing this. Cisco has no business in what their equipment is used for and shouldn't be telling or shutting down their customers. They should talk to Interpol and Russian law enforcement and IF it is illegal, they should do the shutting down.

    • by Da w00t ( 1789 )
      Actually, a lot of them aren't paying customers. Well, they do pay, but with fraudulent credit cards, so the ISPs a lot of times are out a wad of cash.
    • Re: (Score:2, Insightful)

      "This is not a unique phenomenon. This is a fairly common reaction to abuse and spam complaints. You want us to shut down a paying customer? Why would we want to do that?"

      Why should it be any other way? Note the requestor is another company, not a legal authority, and it comes from a different country.

      We should, in fact, be very much worried if it happened any different.

      "As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags"

      Of course yes, why

      • by N1AK ( 864906 )

        Of course yes, why the hell go throw the worries of having a legal system and legal forces to enact it when we can have some random vigilante telling apart what can and cannot be done.

        I let people into my house based on who I trust, recommendations from trusted sources etc. You might see that as random vigilantism but the government doesn't offer it, nor do I desire it to, provide recommendations on every individual. You don't have a legal right for your emails to reach me etc so why the hell would the lega

      • by mrsam ( 12205 )

        Of course yes, why the hell go throw the worries of having a legal system and legal forces to enact it when we can have some random vigilante telling apart what can and cannot be done.

        This phenomenon is called "free speech", perhaps you've heard of it. Anyone is free to say, on their web site, whether a particular sender's email should be accepted or rejected, and why. And it goes without saying that everyone else is free to either agree, or disagree and continue to use their own internal policy for email a

        • "This phenomenon is called "free speech", perhaps you've heard of it."

          I certainly do.

          "Anyone is free to say, on their web site, whether a particular sender's email should be accepted or rejected, and why. And it goes without saying that everyone else is free to either agree, or disagree and continue to use their own internal policy for email acceptance or rejectance."

          Yes. And that's vigilantism, and it usually ends the way it usually ends.

          My (strong) bet is that, if you are using any kind of blacklisting s

          • by mrsam ( 12205 )

            You call it "vigilantism", I call it free speech.

            My (strong) bet is that, if you are using any kind of blacklisting software you don't really know who are you blocking and why.

            So, you think you know more about someone who employs blacklisting, then they themselves. There's a word for that too. Actually two words: "arrogant elitism". You think you're smarter than everyone else, and that you know more about blacklists then the individual organizations who use them. That is, of course, a height of arrogance.

            N

            • "So, you think you know more about someone who employs blacklisting, then they themselves."

              Yes, I do. You see, I said "my (strong) bet": I'm pretty confident, not sure.

              "There's a word for that too. Actually two words: "arrogant elitism"."

              No, a single word is good enough: "experience". I usually work on email exchange platforms (not Microsoft Exchange, but SMTP hubs and smarthosts) and since my experience has been most postmasters using blacklists don't exactly know what emails are denying and why, bettin

              • by mrsam ( 12205 )

                And how exactly did you determine the state of their mind, and what they do or do not know?

                "Gee, all of a sudden my mail server acquires this mysterious configuration setting that rejects mail from all IP addresses on this particular blacklist. I have absolutely no idea where it came from..."

                • "And how exactly did you determine the state of their mind, and what they do or do not know?"

                  Just like any other would do: interacting with them and paying attention both at their discourse and their facts.

                  "Gee, all of a sudden my mail server acquires this mysterious configuration setting that rejects mail from all IP addresses on this particular blacklist. I have absolutely no idea where it came from..."

                  That's basically the case more times than not. Long story short, too many times it goes more or less li

    • by sjames ( 1099 )

      We're missing a lot of information here. Did Cisco email them in Russian? Did they ask nicely or post demands? Did they provide any evidence in the email?

      Depending on the nature of the bad guys, we also have to consider that there could be consequences well beyond loss of a few accounts if they shut them down.

    • The key to effectively deal with network abuse is to make the responsible party understand that it's in their best interest to do that. Otherwise they stand to lose more than they are profiting from network abuse. As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags, else their entire network gets blacklisted and they lose more, as their other, non-spamming pissed off customers flee to other providers, in order to be able to send mail.

      The problem is that punishment is so severe that other ISPs will be very reluctant to use it so it's basically an empty threat.

      Traffic degradation, reducing the bandwidth for packets directed towards misbehaving ISPs, now that's a little easier to sell and could again be very effective.

      Of course this is running right into the net neutrality debate and goes under the heading of "be careful what you wish for". We want to shut down the cybercriminals, others want to shut down the torrent servers, and some even

  • There is a saying in Russia, which says that Russians do not give away Russians.

    This is a cliche statement, which reflects the mentality of how some of the Russians are taught and trained themselves to believe of anyting non Russian related. Here is the caricature of Russian mentality which summarizes how they want to view you: https://www.facebook.com/photo... [facebook.com]

    Jokes aside, in United States if somebody would want some law enforcement to give away their informers, we would say: screw you.

  • Just push a mod to the BGP tables. Problem goes away.

    • by dstrupl ( 588119 )
      Yup, that is what they actually did (as figured after RTFA). They have blacklisted both the IPs and domains served by that provider for all Cisco and their customers. So no big deal at the end of the day.
  • Email - or spam? (Score:4, Insightful)

    by petes_PoV ( 912422 ) on Saturday January 09, 2016 @01:06PM (#51268743)

    who didn't bother answering critical emails

    I don't answer critical emails either. However, if you send me nice ones, or polite ones I might even read them.

    You'd think that if this was something SERIOUS for Cisco, they'd at least bother to pick up the phone - maybe even go to the effort of finding someone who spoke russian. As it is, this outfit, like everyone else on the planet probably gets spammed senseless. Especially through public email addresses. Who can blame someone for ignoring emails from unsolicited sources?

    To sum up, this sounds like the lazy excuse of an indolent individual: Why haven't you done X? asks the boss. "Well I sent them an email, but they never replied" whines the guy who just wants to get back to playing Facebook.

    • Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware.

      When stupid amounts of untraceable money is involved, the inside-job becomes more of a reality.

  • Sounds like the ISP is very cooperative, just not with who the submitter would like.
  • Seriously, if cisco approached me about a criminal matter I would ignore them to. They have no legal authority to demand anything from anyone.

    • No one is obliged to accept their packets, and anyone is entitled to take Cisco's advice if they so choose.

      The point isn't that they should obey Cisco, but that they should not want to host criminal activity, and if informed of it they should investigate and take action if warranted. Furthermore, it is in their interest to do so, since otherwise other networks will stop exchanging packets with them, and their non-criminal clients will be disadvantaged and leave. Of course, that assumes they have non-crimina

  • Entire 1-10 January is holiday due to weekends configuration this year. Almost noone works while it happens. So obviously noone is available to respond to Cisco complaints either.
  • Who do you think hit the Ukrainian power network the other week? Who do you think regularly attacks Ukrainian government web sites? Who do you think allows the army of Russian trolls located in St. Petersburg [rferl.org] to remain active to spew their nonsense [nytimes.com]?

    If anyone is surprised the Russians don't respond to close down hackers emanating from within their borders, they've been living under a rock for the last decade. This is what Russia is now known for, other than collapsing economy and a ruble not far behi
  • by Dynamoo ( 527749 ) on Saturday January 09, 2016 @06:56PM (#51270081) Homepage
    Curiously enough, I am just running an analysis of several thousand domains hosted by Eurobyte. My preliminary data on about 7500 domains currently or historically hosted by this block is that 35% of them are tagged by Google as being malicious in some way. I'm guessing that most of the others are also malicious, but they haven't been tagged.

    Eurobyte operate a fairly big block rented from Webazilla, which is 46.30.40.0/21.. and I recommend that you block traffic to that entire lot. But a lot of Webazilla's other customer [he.net] are pretty shitty too. I don't think you miss much if you blocked traffic to the entire AS35415.

  • We see the same behaviour regardless of country. In Australia the only way we were able to get anything more than a generic response was by reporting it through ASD, With the US we have never managed to get a response from ISP's there, we just forward to the US authorities now and hope they deal with it. Basically unless you are coming through the local government then you are fucked getting just about ANY ISP to do anything useful.
  • by drolli ( 522659 ) on Sunday January 10, 2016 @06:19AM (#51271761) Journal

    and nothing new. You pay a little premium not to be disconnected as soon as somebody sends a legal request. Not reacting to something like that is what their customer pays for.

Serving coffee on aircraft causes turbulence.

Working...