Cisco Disrupts $30 Million Angler Exploit Ring

Cisco locates and helps shut down half of the Angler Exploit Kit activity. However, more work remains to be done.

Angler exploit kit

The Angler Exploit Kit is one of the most pervasive and impactful exploit kits in use today—that is, until Cisco helped to shut down a large number of Angler servers this week.

Cisco's Talos research group was able to identify a number of sources for Angler-related traffic that were impacting up to 90,000 victims a day and generating approximately $30 million in revenue per year for the attackers. Cisco contacted Limestone, which is the network operator where many of the Angler servers were located, to facilitate the takedown.

"Law enforcement did not have a role in the takedown," Nick Biasini, outreach engineer at Cisco, told eWEEK. "Limestone, to their credit, took these servers down and took action to help prevent them from infecting additional users."

At Limestone, Cisco found 147 proxy servers for the Angler Exploit Kit, which have been taken down. Overall, Cisco's research found Angler servers that were hosted at a variety of providers, with a disproportionate amount hosted at two providers: Limestone and Hetzner.

"We did contact Hetzner to notify them of the servers that were generating Angler activity," Biasini said.

The Limestone-related Angler activity was responsible for 38 percent of the observed Angler activity based on HTTP volume, and Hetzner was responsible for 37 percent, Biasini noted. With the Limestone servers for Angler now taken down, Cisco has seen the overall amount of Angler activity decline, he added.

"The fact that there was a single health monitoring server communicating with 147 Angler proxy servers indicates this was a single group," Biasini said.

Cisco used a number of techniques and technologies to isolate and identify the Angler servers, including making use of OpenDNS. Cisco acquired OpenDNS for $635 million this past June.

"OpenDNS provided us with excellent insight into the domain activity associated with the IP space, allowing us to provide that data to the community," Biasini said.

Cisco has been aggressively researching Angler for much of 2015. In March, Cisco reported on a new Domain Shadowing attack vector being used in Angler that abused domain names in a bid to infect users. Angler is also making widespread use of known Flash exploits to infect users, according to Cisco's midyear 2015 security report.

Cisco isn't the only company that has been tracking Angler. Intel Security's McAfee Labs reported that Angler was the most widely used exploit kit in 2014.

While Cisco has now helped to strike a solid blow against Angler, more work remains to be done.

"We have multiple projects in the works, including some that deal with other aspects of Angler," Biasini said. "Stay tuned for details."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.