Cisco Blogs

Cisco Blog > Threat Research

Threat Spotlight: Cisco Talos Thwarts Access to Massive International Exploit Kit Generating $60M Annually From Ransomware Alone

This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.

Executive Summary

Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit.  Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks ­ — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually.  This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.

Cisco then took action:

  • Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
  • Released Snort rules to detect and block checks from the health checks
  • All rules are being released to the community through  Snort
  • Publishing communications mechanisms including protocols so others can protect themselves and customers.
  • Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers

This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.

Read More »

Tags: , , ,

Improvements to Cisco’s Security Vulnerability Disclosures

Cisco is committed to protecting customers by sharing critical security-related information in different formats. Guided by customer feedback, Cisco’s Product Security Incident Response Team (PSIRT) is seeking ways to improve how we communicate information about Cisco product vulnerabilities to our Customers and Partners.  As John Stewart mentioned on his blog post, the Cisco PSIRT has launched a new and improved security vulnerability disclosure format. The new Cisco Security Advisories can be accessed at and at

The intent is to make it easier for Customers and Partners to access information about all security vulnerabilities in Cisco products. Each vulnerability disclosed through our new security advisories are assigned a Common Vulnerability and Exposures (CVE) identifier to aid in identification. Additionally, Cisco will continue to assess all vulnerabilities using the Common Vulnerability Scoring System (CVSS). Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher.

Read More »

Tags: , , , , , , , , ,

Streamlining the Response to Security Vulnerabilities

With security threats evolving at a staggering pace, we’re hearing from our customers that their network administrators are often finding it difficult to keep up. They are challenged to make informed decisions quickly enough and prioritize their responses to incoming threats. Not surprising since with each new threat and the related vulnerabilities IT leaders are faced with several questions:

  • Where do I go to find information?
  • Which information is for background and which requires immediate action?
  • What has changed since the original publication?
  • Does this apply to my network of devices?
  • What resources should I go to for prevention, detection and remediation?

We are constantly looking at ways to help our customers and partners reduce the time it takes to mitigate security breaches so I’m pleased to announce a new and improved security vulnerability disclosure format for Cisco Security Advisories that should make it much easier for administrators to understand and respond to threats.

Read More »

Looking Into a Crystal Ball for the Future of Cybersecurity

Every once in a while you need to take a step back, and think about the future. Where’s a good place to look for high risk, high opportunity ideas in the future of computer security? New Security Paradigms Workshop (NSPW) is a crystal ball view into the future of cybersecurity. NSPW is an invitation only workshop dedicated to in-depth discussions of radical forward thinking in security research. Here are highlights from a handful of presentations that pursue areas that might be evocative or inspirational to the broader Cisco security community.

Milware: Identification and Implications of State Authored Malicious Software is a research effort that starts with looking to establish a technical basis for distinction between mal- and milware. The authors evaluated and reverse engineered sample malicious software to establish an initial set of criteria that consistently distinguishes the samples identified as state or non-state authored. These are:

  • Specificity of (constraints on) propagation method
  • Manner of movement in target network (e.g. lateral, higher value targets)
  • Specificity and severity of exploits (e.g. higher CVSS scores), and
  • Customization of payload (code and tools used).

Read More »

Tags: , ,

Cybersecurity: What Needs to Change Now

October is National Cyber Security Awareness Month in the United States. This year’s campaign emphasizes cybersecurity as part of a deliberate strategy and a shared responsibility, not just a checkbox item.

At Cisco, we believe two key things must change in the security industry. First, we need to acknowledge that security is a strategy, and one that senior leaders in all organizations must embrace and own. Second, IT vendors—and all other vendors that are now embedding information technology in their offerings—must produce products, services and solutions that customers can trust.

Given Cisco’s global security footprint, we see a lot of data on Internet attacks, infected websites, malware, and actor activity. This gives us unique insight into what is affecting businesses, including our own. We’ve had the opportunity to be “on the ground” for every major breach in the last couple of years, with team members of mine on site helping the people who need help. Read More »

Tags: , ,