Cisco disrupts another exploit kit

After $60M Angler block, Talos security arm snags Russian RIG spambot hosts

spam
Credit: Thinkstock

Cisco has disrupted another exploit kit that was emanating from Russian service providers. The company’s Talos security operation said it blacklisted several Class C subnets from provider Eurobyte that were serving the RIG exploit kit or scored negatively in web reputation.

RIG is an exploit kit that delivers malicious payloads to unsuspecting users. It redirects users to a landing page and the delivers the exploit payload – in this case, spambot variants -- via a GET request, according to this Talos blog post.

During its RIG investigation, Talos discovered that of 44 IP addresses delivering RIG, 43 belonged to the same autonomous system number associated with WebZilla, a Russian service provider. All of the addresses were leased to Eurobyte, a leaf provider of WebZilla.

When notified by Talos of the RIG activity, WebZilla blocked the hosts. Eurobyte never responded nor acknowledged Talos’ queries, so the Cisco security operation blacklisted the offending subnets.

From the Talos post:

Despite multiple emails to Eurobyte RIG activity continued as new addresses get stood up after being reported to WebZilla. This underscores one of the major problems we face today, leaf providers. As providers could have multiple downstream leaf providers we find that we routinely have success in dealing with larger providers. These providers help get systems shut down, but without the cooperation of the smaller downstream providers the adversaries just stand up new servers and move on. We were able to inflict some damage to RIG during our investigation, but were unable to actually get the actors behind the activity stopped.

Last October, Cisco Talos thwarted a $60 million Angler ransomware exploit kit. But it’s hard to monetize and quantify the financial impact of the RIG exploit Cisco disrupted because the payloads were spambots, and the victims were just generating spam, says Nick Biasini, threat researcher in the Talos Security Intelligence and Research Group.

More from Cisco Subnet:

Cisco shifting to a software model

Cisco adds programmability to Internet routers

Cisco CEO not big on spin-ins

Ex-Juniper sibs look to soften up the WAN

What's Juniper Networks to do?

Cisco, Ericsson team as industry consolidates

Users prepare for a software-driven world

Juniper disaggregates even further

PC storage waning, Cisco study finds

Cisco SDN user says just pick what you need

Follow Jim Duffy on Twitter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.