Cisco hooks Angler Exploit Kit infrastructure

Shares intelligence widely

Security researchers at Cisco have struck a blow against crooks behind the notorious Angler Exploit Kit, blocking or re-routing access around dangerous domains on the interwebs.

Angler has been linked to high-profile malvertising and ransomware campaigns over recent months. The utility uses software vulnerabilities (in browsers, Adobe Flash, etc.) to squirt malware onto the machines of surfers that stray onto websites hosting Angler. Dangerous sites can be either compromised legitimate websites or hacker-controlled domains.

After identifying and analyzing the Angler Exploit Kit activity associated with cybercrime gangs, researchers at Cisco found that an "inordinate number of proxy servers" used by Angler were located on servers hosted by Limestone Networks. The biggest abuser of its systems was targeting up to 90,000 victims a day, according to the Cisco Talos Security Intelligence and Research Group. These issues are getting weeded out with Limestone Networks on board in tackling the issue.

Cisco gained additional visibility into the global activity of the network through its ongoing collaboration with Level 3 Threat Research Labs. Collaboration with OpenDNS, a recent Cisco acquisition, allowed Team Talos researchers to map domain activity associated with the hackers.

This combined intelligence allowed Cisco to update its products to stop redirects to the Angler proxy servers, erecting a safety barrier for the networking giant's customers in the process. In addition, Cisco has published details of communications mechanisms, including protocols, so that other vendors can protect themselves and their customers. This latter effort includes updated Angler-related rules for Snort, the popular open source intrusion detection tool. Commercial versions of Snort are developed by Sourcefire, a firm Cisco borged bought two years ago.

Finally, Cisco is also publishing indications of compromise (IoCs) so that corporate system defenders can analyze their own network activity and block access to remaining Angler-linked servers.

Technical details of how Cisco hooked Angler can be found in a blog post here. ®




Biting the hand that feeds IT © 1998–2019