Cisco has disrupted another exploit kit that was emanating from Russian service providers. The company’s Talos security operation said it blacklisted several Class C subnets from provider Eurobyte that were serving the RIG exploit kit or scored negatively in web reputation.
RIG is an exploit kit that delivers malicious payloads to unsuspecting users. It redirects users to a landing page and the delivers the exploit payload – in this case, spambot variants -- via a GET request, according to this Talos blog post.
During its RIG investigation, Talos discovered that of 44 IP addresses delivering RIG, 43 belonged to the same autonomous system number associated with WebZilla, a Russian service provider. All of the addresses were leased to Eurobyte, a leaf provider of WebZilla.
When notified by Talos of the RIG activity, WebZilla blocked the hosts. Eurobyte never responded nor acknowledged Talos’ queries, so the Cisco security operation blacklisted the offending subnets.
From the Talos post:
Despite multiple emails to Eurobyte RIG activity continued as new addresses get stood up after being reported to WebZilla. This underscores one of the major problems we face today, leaf providers. As providers could have multiple downstream leaf providers we find that we routinely have success in dealing with larger providers. These providers help get systems shut down, but without the cooperation of the smaller downstream providers the adversaries just stand up new servers and move on. We were able to inflict some damage to RIG during our investigation, but were unable to actually get the actors behind the activity stopped.
Last October, Cisco Talos thwarted a $60 million Angler ransomware exploit kit. But it’s hard to monetize and quantify the financial impact of the RIG exploit Cisco disrupted because the payloads were spambots, and the victims were just generating spam, says Nick Biasini, threat researcher in the Talos Security Intelligence and Research Group.
More from Cisco Subnet:
Follow Jim Duffy on Twitter