Cisco Blogs


Cisco Blog > Threat Research

Bedep Lurking in Angler’s Shadows

This post is authored by Nick Biasini.

In October 2015, Talos released our detailed investigation of the Angler Exploit Kit which outlined the infrastructure and monetary impact of an exploit kit campaign delivering ransomware. During the investigation we found that two thirds of Angler’s payloads were some variation of ransomware and noted one of the other major payloads was Bedep. Bedep is a malware downloader that is exclusive to Angler. This post will discuss the Bedep side of Angler and draw some pretty clear connections between Angler and Bedep.

Adversaries continue to evolve and have become increasingly good at hiding the connections to the nefarious activities in which they are involved. As security researchers we are always looking for the bread crumbs that can link these threats together to try and identify the connections and groups that operate. This is one of those instances were a couple of crumbs came together and formed some unexpected connections. By tying together a couple of registrant accounts, email addresses, and domain activity Talos was able to track down a group that has connections to threats on multiple fronts including: exploit kits, trojans, email worms, and click fraud. These activities all have monetary value, but are difficult to quantify unlike a ransomware payload with a specific cost to decrypt.

 

Read More >>

Tags: , , , , , ,

The Value of Collaboration in Weakening Attackers

Today’s attackers deploy complex and clever threats that are difficult to combat with just one method of defense. In some cases, defenders must go beyond tools for detecting attacks and devise a different approach for obstructing our adversaries’ ability to operate.

As detailed in the Cisco 2016 Annual Security Report, recent collaborative efforts between Cisco, Limestone Networks, and Level 3 Threat Research Labs have weakened the impact of two threats: the distribution of the Angler exploit kit, and the rapid growth of one of the Internet’s largest DDoS weapons built out by SSHPsychos. Read More »

Tags: , , , , ,

Angler for Beginners in 34 Seconds

Post authored by Martin Rehak, Veronica Valeros, Martin Grill and Ivan Nikolaev.

In order to complement the comprehensive information about the Angler exploit kit from our Talos colleagues [Talos Intel: Angler Exposed], let’s have a very brief look at what an Angler and CryptoWall infection looks like from the network perspective. We will present one of the recent Angler incidents discovered by Cognitive Threat Analytics (CTA).

Cognitive Threat Analytics works after the attack. It sifts through the logs produced by the client’s web proxy for any malware that may have slipped through the perimeter defences, such as this specific case here. CTA was able to observe the attack in its entirety (including the phases where the perimeter defence successfully blocked several stages in the attacker’s plan) and notify the security team immediately for follow-up and investigation.

So, how does an incident start for the analyst?

Screen+Shot+2015-10-07+at+14.10.30

We can see that the incident has been categorised as an Exploit Kit infection. The system asserts 95% confidence in this incident being a true positive, and classifies it on the level 8 (out of 10) on the risk scale.

Read More »

Tags: , , , , ,

Threat Spotlight: Cisco Talos Thwarts Access to Massive International Exploit Kit Generating $60M Annually From Ransomware Alone

This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.

Executive Summary

Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit.  Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks ­ — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually.  This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.

Cisco then took action:

  • Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
  • Released Snort rules to detect and block checks from the health checks
  • All rules are being released to the community through  Snort
  • Publishing communications mechanisms including protocols so others can protect themselves and customers.
  • Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers

This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.

Watch Angler compromise a box and install ransomware at the end of the video.

Read More »

Tags: , , ,

Angler EK: More Obfuscation, Fake Extensions, and Other Nonsense

This post was authored by Nick Biasini

Late last week Talos researchers noticed a drastic uptick in Angler Exploit Kit activity. We have covered Angler previously, such as the discussion of domain shadowing. This exploit kit evolves on an almost constant basis. However, the recent activity caught our attention due to  a change to the URL structure of the landing pages. This type of change doesn’t occur often and was coupled with some other interesting tidbits including how the HTTP 302 cushioning has evolved and the payload of another ransomware has changed.

During research Talos identified several active Angler campaigns delivering different payloads via different methods.  The first campaign was delivering Cryptowall, which will be covered in detail here. The second delivered Bedep with click fraud and illustrates the variety with which Angler can be used to deliver different payloads.  The details of Bedep with click fraud has been covered thoroughly and will not be specifically discussed in this article.

Read More »

Tags: , , , ,