Cisco Security Researchers Disrupt RIG Exploit Kit
The popular exploit kit, which enables attackers with packaged vulnerabilities to infect users, is still out there, but new efforts are helping curb its growth.The RIG exploit kit is under attack, thanks to the efforts of Cisco's security research group. Among the most popular exploit kits, RIG enables attackers with packaged vulnerabilities to infect users. Cisco monitored the operations of the RIG exploit kit and discovered that two primary service providers out of Russia were hosting much of the operational infrastructure. Cisco contacted both service providers about the issues and got a mixed response. Webzilla, which was hosting a large number of RIG-related traffic, responded positively and shut down the offending hosts. However, Eurobyte did not respond to Cisco's pleas and has not shut down any RIG traffic. "As servers were reported or shut down by Webzilla, hosts continued to pop up from Eurobyte¹s address space," Nick Biasini, a threat researcher in the Cisco Talos Security Intelligence and Research Group, told eWEEK. "This appears to still be the case." Cisco is not sitting idly by while Eurobyte continues to serve up RIG-related traffic, though. Eurobyte address space that is known to be hosting RIG-related traffic is now being blocked by Cisco across multiple Cisco technologies, including its Advanced Malware Protection (AMP) and OpenDNS services. According to OpenDNS' own analysis, there are approximately 25,000 domains hosted by Eurobyte that are associated with RIG.
Going a step further, Cisco has launched a new effort called Project Aspis to help report issues to service providers. Biasini explained that the project's name is derived from "aspis," a heavy wooden shield used in Ancient Greece.