​Cisco: notorious hackers using Linux cloak earn $30m a year

A new Cisco report could, with further help, put a dint in a lucrative ransomware operation and one of the most notorious rental hacking services on the web.

The Angler exploit kit (EK) is often the first of EK to integrate new flaws in Adobe Flash Player into its automated hacking kit. That tool is sold to cybercrime gangs, which benefit from Angler’s exploits for mostly browsers and browser plugins. It’s aimed at anyone with crimeware, such as banking credential stealers or ransomware, that don’t have the time or skill to develop and maintain their own database of software exploits.

Cisco’s Talos security unit now claims to have discovered key details about how Angler operates, the services it relies on to maintain availability, and the revenues it’s capable of generating.

The conclusions drawn by Cisco are based on a 13 hour window into single server from which it observed 90,000 unique IP addresses that were being served at least one of the Angler EK’s attack pages. It's observations also appear to be of a customer that used Angler rather than the operators of the EK itself.

"By analyzing the behavior of just one node delivering Angler as well as a server monitoring these systems, Talos can reliably say that one threat actor was responsible for up to half of the Angler activity that we’ve observed globally. This malicious network generates approximately more than $30 million annually," Cisco said.

Though it’s only a half-day glimpse into a portion of the Angler operation, Cisco's research also sheds light on an advanced cybercrime group that so far has evaded law enforcement despite being the purveyor of one of the most prolific hacking tools on the web.

The Angler EK has on occasion included exploits for Flash Player before Adobe released a patch for them, such as happened after files leaked from Hacking Team, and is often the first cybercrime kit to include Flash bugs once they become public.

One interesting feature of Angler’s operations is that it has a “health monitoring server” that gathers information about hosts that are under attack and removes evidence of that collection once the process is complete. The health server Cisco gained visibility to was also seen observing 147 other “proxy” servers whose purpose was to redirect victims to attack pages hosting actual exploits.

Cisco teamed up with Level 3 Threat Research Labs, OpenDNS and hosting firm Limestone Networks for its investigation.

Limestone Networks provided access to servers used by Angler, revealing how the group manages to distance itself from actual infections of end user devices.

“Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity,” Cisco noted.

Not surprisingly, Linux servers featured in Angler’s operation, however Cisco found that servers running a Linux image with the widely-used ngnix web server play a very specific role — namely to disguise the source of an infection.

“When looking at the nginx configuration file … the most significant finding is that the servers that are seen compromising users are simply proxies to hosts that are serving the malicious activity,” Cisco noted.

This design will help Angler in the event that someone attempts to take down the server that appears to be the source of an exploit as well as providing a central point to instruct those severs when they come into contact with potential targets.

Cisco notes that Linux servers were being managed remotely via SSH using root, adding that they were likely compromised systems in Europe and Asia.

In an unrelated report last week Akamai networks drew attention to Linux malware known as Xor.DDoS that attempts to brute force SSH login credentials for the root user of a Linux system.

The actions Cisco took are technical in nature and contrast to Microsoft’s legal technical takedowns targets at numerous botnets. However the details Cisco gleaned may provide useful information for others to pursue Angler, be it through criminal or civil charges, or similar technical blockades.

Cisco’s noted its actions focussed on updating products to prevent customers from being redirected to Angler proxy servers; updated rules to the Snort intrusion prevention system, which will also reach its open source users; as well as contacting affecting hosting providers to shut down malicious servers.


Blast from the past?

Try our new Space Invaders inspired video game NOW.

Read more: Endpoint protection pitched as alternative for unpatchable EOL Windows systems

What score can you get ?


Join the CSO newsletter!

Error: Please check your email address.

Tags hackersdatabaseOpenDNS​Ciscoexploit kit (EK)Angler EKThreat Research LabssoftwareCisco reportAkamai networksLinux cloakAdobe Flash playerransomwarecrimewareCSO Australiacybercrimehacking services

More about CiscoLinuxMicrosoftSSHXor

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts