​Cisco: notorious hackers using Linux cloak earn $30m a year

A new Cisco report could, with further help, put a dint in a lucrative ransomware operation and one of the most notorious rental hacking services on the web.

The Angler exploit kit (EK) is often the first of EK to integrate new flaws in Adobe Flash Player into its automated hacking kit. That tool is sold to cybercrime gangs, which benefit from Angler’s exploits for mostly browsers and browser plugins. It’s aimed at anyone with crimeware, such as banking credential stealers or ransomware, that don’t have the time or skill to develop and maintain their own database of software exploits.

Cisco’s Talos security unit now claims to have discovered key details about how Angler operates, the services it relies on to maintain availability, and the revenues it’s capable of generating.

The conclusions drawn by Cisco are based on a 13 hour window into single server from which it observed 90,000 unique IP addresses that were being served at least one of the Angler EK’s attack pages. It's observations also appear to be of a customer that used Angler rather than the operators of the EK itself.

"By analyzing the behavior of just one node delivering Angler as well as a server monitoring these systems, Talos can reliably say that one threat actor was responsible for up to half of the Angler activity that we’ve observed globally. This malicious network generates approximately more than $30 million annually," Cisco said.

Though it’s only a half-day glimpse into a portion of the Angler operation, Cisco's research also sheds light on an advanced cybercrime group that so far has evaded law enforcement despite being the purveyor of one of the most prolific hacking tools on the web.

The Angler EK has on occasion included exploits for Flash Player before Adobe released a patch for them, such as happened after files leaked from Hacking Team, and is often the first cybercrime kit to include Flash bugs once they become public.

One interesting feature of Angler’s operations is that it has a “health monitoring server” that gathers information about hosts that are under attack and removes evidence of that collection once the process is complete. The health server Cisco gained visibility to was also seen observing 147 other “proxy” servers whose purpose was to redirect victims to attack pages hosting actual exploits.

Cisco teamed up with Level 3 Threat Research Labs, OpenDNS and hosting firm Limestone Networks for its investigation.

Limestone Networks provided access to servers used by Angler, revealing how the group manages to distance itself from actual infections of end user devices.

“Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity,” Cisco noted.

Not surprisingly, Linux servers featured in Angler’s operation, however Cisco found that servers running a Linux image with the widely-used ngnix web server play a very specific role — namely to disguise the source of an infection.

“When looking at the nginx configuration file … the most significant finding is that the servers that are seen compromising users are simply proxies to hosts that are serving the malicious activity,” Cisco noted.

This design will help Angler in the event that someone attempts to take down the server that appears to be the source of an exploit as well as providing a central point to instruct those severs when they come into contact with potential targets.

Cisco notes that Linux servers were being managed remotely via SSH using root, adding that they were likely compromised systems in Europe and Asia.

In an unrelated report last week Akamai networks drew attention to Linux malware known as Xor.DDoS that attempts to brute force SSH login credentials for the root user of a Linux system.

The actions Cisco took are technical in nature and contrast to Microsoft’s legal technical takedowns targets at numerous botnets. However the details Cisco gleaned may provide useful information for others to pursue Angler, be it through criminal or civil charges, or similar technical blockades.

Cisco’s noted its actions focussed on updating products to prevent customers from being redirected to Angler proxy servers; updated rules to the Snort intrusion prevention system, which will also reach its open source users; as well as contacting affecting hosting providers to shut down malicious servers.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

Read more: Endpoint protection pitched as alternative for unpatchable EOL Windows systems

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersdatabaseOpenDNS​Ciscoexploit kit (EK)Angler EKThreat Research LabssoftwareCisco reportAkamai networksLinux cloakAdobe Flash playerransomwarecrimewareCSO Australiacybercrimehacking services

More about CiscoLinuxMicrosoftSSHXor

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts