- October 27, 2015
- Info notes
In October 2015 Talos, Cisco's Security Intelligence and Research Group, released a statement on how they "struck a blow" to a group of cybercriminals by disrupting their revenue stream generated through the notorious Angler Exploit Kit's. According to Talos, the takedown was targeted at a threat actor that was responsible for almost half of all Angler Exploit Kit's activities, and was estimated to generate more than $30M annually by pushing ransomware onto unsuspecting victims.
The Angler exploit kit has been linked to several ransomware campaigns, including the widespread CryptoWall and TeslaCrypt, and is widely recognized as one of the most advanced exploit kits on the market. The importance of this takedown was not only due to the disruption of the cybercriminals' revenue stream, but also because of useful information that Talos were able to gather, analyse, and disseminate in their detailed report. As a result of this operation, the community got a rare opportunity to have an inside look at the infrastructure running these kind of campaigns. This information is important for security analysts and engineers who wish to protect their systems from such attacks.
Angler exploit kit
The takedown was managed by Cisco Systems' Talos security unit, which was researching the Angler Exploit kit. Angler is one of the most sophisticated exploit kits available in the highly competitive underground malware market. It boasts the ability to successfully infect an estimated 40% of the targeted end users by exploiting vulnerabilities in browsers and browser plugins. In some cases the kit exploited zero-day vulnerabilities. Talos presented an informative video which explains Angler's infrastructure, and demonstrates the use of angler to compromise a machine and install ransomware.
Angler is known to gather user information, and customise attacks based on the software versions being used. Most campaigns targeted users running old and unpatched versions of Adobe Flash and Internet Explorer. In fact, almost 75% of the exploits served through Angler were Adobe Flash related.
Talos mentioned that Angler was also being used to distribute different types of attacks. They identified a tool known as the Bedep downloader, which is malware that delivers additional payloads, as well as malware used in click fraud scams and a few instances of keyloggers.
The Angler infrastructure uses a proxy-server configuration. The malicious activity is served from a single exploit server through multiple proxy servers. The victims communicate with the proxy servers, and not directly with the exploit server, with the ability to route communications through different proxies. This approach complicates investigations thus protecting the infrastructure. There is also a health monitoring server that conducts health checks, and gathers information about the target machines.
During their investigation, Talos saw that a large percentage of infected end users were connecting to servers that were operated by the service provider Limestone Networks, who agreed to cooperate with Talos in order to take down the infrastructure. Through their investigation, they found a single "threat actor" that was targeting as many as 90k end users per day. They identified a single health server that was monitoring 147 proxy servers over the span of a month.
Talos sinkholed (redirected the domain to a controlled IP) the identified domains and shut down the proxy servers. With the collaboration of Limestone Networks, they obtained live disk images of the relevant servers which allowed them to better understand the underlying infrastructure.
Throughout the operation, collaboration played an essential role. Without the cooperation of Limestone networks, Talos would have had very limited visibility of, and access to the infrastructure. Additional visibility into the global activity of the network was provided thanks to their collaboration with Level 3 Threat Research Labs. Additionally, the collaboration with OpenDNS provided Talos with in-depth visibility into the domain activity associated with the attacks. OpenDNS also wrote an interesting blog entry about the takedown.
The health server was critical in the understanding of the scale of the campaign, and allowed Talos to put a realistic monetary value on the operation. This single operation was responsible for approximately half of the Angler activity and was estimated to generate $30M annually from ransomware infections alone, which would imply that the full scope of Angler activity could easily generated more than $60M annually.
15.000 unique sites pushed the exploit kit to unsuspecting visitors with more than 60 percent of the infections delivering either CryptoWall 3.0 or TeslaCrypt 2.0 ransomware. Interestingly, Talos noticed that several obituary webpages were targeted. They believe this was done as a means to target the elderly, who are more likely to use unpatched software and use IE which is the default Windows OS browser. Also, senior citizens are known to be susceptible to ransomware. According to a study conducted by the Stanford Center on Longevity and the FINRA Investor Education Foundation, in the US, people aged 65 and over are 34% more likely to have lost money on a financial scam than people in their 40s.
The $30M annual revenue estimate was obtained using the following facts, estimates, and calculations:
- In 1 day, Angler server served exploits to 9000 unique IP addresses
- 40% of users being served exploits by Angler are compromised
- Therefore in 1 day Angler server compromises 3600
- Health server was monitoring 147 Angler servers over 1 month
- This results in around 529.000 systems infected over 1 month
- 62% of Angler infections delivered Ransomware
- 2.9% of the victims paid the ransom (according to US-CERT quoting a Symantec study)
- Average ransom demand of $300
- This results in $3 Million a month
- >$30M annually
The numbers above are estimates, however they are based on realistic data.
The disruption of the operation responsible for half of Angler kit's activity is good news, and all actors in this operation deserve praise. This case demonstrated that cooperation amongst different actors with similar interests can go a long way. The right mix of factors such as knowledge, resources, jurisdiction, and strategic position can be extremely beneficial and more impactful than an independent entity operating on its own.
About "Suggested Reading" from ENISA
With the “Suggested Reading” series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should “Suggested Reading” be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the “Suggested Reading” series (email@example.com).