Cisco Security Researchers Disrupt RIG Exploit Kit

The popular exploit kit, which enables attackers with packaged vulnerabilities to infect users, is still out there, but new efforts are helping curb its growth.

exploit kit

The RIG exploit kit is under attack, thanks to the efforts of Cisco's security research group. Among the most popular exploit kits, RIG enables attackers with packaged vulnerabilities to infect users.

Cisco monitored the operations of the RIG exploit kit and discovered that two primary service providers out of Russia were hosting much of the operational infrastructure. Cisco contacted both service providers about the issues and got a mixed response. Webzilla, which was hosting a large number of RIG-related traffic, responded positively and shut down the offending hosts. However, Eurobyte did not respond to Cisco's pleas and has not shut down any RIG traffic.

"As servers were reported or shut down by Webzilla, hosts continued to pop up from Eurobyte¹s address space," Nick Biasini, a threat researcher in the Cisco Talos Security Intelligence and Research Group, told eWEEK. "This appears to still be the case."

Cisco is not sitting idly by while Eurobyte continues to serve up RIG-related traffic, though. Eurobyte address space that is known to be hosting RIG-related traffic is now being blocked by Cisco across multiple Cisco technologies, including its Advanced Malware Protection (AMP) and OpenDNS services. According to OpenDNS' own analysis, there are approximately 25,000 domains hosted by Eurobyte that are associated with RIG.

Going a step further, Cisco has launched a new effort called Project Aspis to help report issues to service providers. Biasini explained that the project's name is derived from "aspis," a heavy wooden shield used in Ancient Greece.

"Cisco will do everything possible to encourage providers to remove threats from their network, including, in the case of Project Aspis, direct support," Biasini said. "Aspis is a way for providers to have a reliable and trusted resource, which helps them to protect their network and improve security of all users by providing intelligence that can be leveraged and shared publicly."

RIG isn't the first exploit kit ring that Cisco has disrupted. In October, Cisco helped to impede the operations of the Angler exploit ring, which was affecting up to 90,000 victims per day.

Beyond just trying to help shut down RIG, Cisco's Talos research group spent months learning how RIG works to infect users. Cisco has now published a comprehensive report on its findings about how RIG works. The primary exploit used by RIG is CVE-2015-5119, an Adobe Flash vulnerability that Adobe patched in July 2015. Cisco isn't the only group that has identified patched Flash vulnerabilities as RIG's primary exploit. A review of the RIG 3.0 exploit kit by Trustwave in August 2015 came to the same basic conclusion.

While Flash is the vulnerability of choice for RIG today, that might not be the case in the future, as the exploit kit will likely continue to develop over 2016.

"[RIG] will change and evolve like other exploit kits and will likely move away from Eurobyte to another provider or providers," Biasini said. "Additionally, as more browsers and users move away from Flash, the exploit kits are likely to follow that trend as well."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.