Russian ISP Eurobyte fails to answer Cisco’s emails, allows malvertising campaign to go on undisturbed. Cisco’s Talos research team has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with all kinds of malware.
This particular group used a series of security vulnerabilities, but most of the time, it was using the CVE-2015-5119 flaw in Flash, which allowed the group to compromise computers and later infect them with spambots.
Cisco reports that, in most cases, the main payload was the Tofsee spambot variant, which infected Windows machines via Internet Explorer.
Severe malvertising campaign uses RIG EK to infect users with spambots
Researchers say that most of the users getting infected via this particular RIG exploit kit campaign are redirected to the site using malicious ads and iframes embedded in legitimate and compromised websites.
The campaign was extremely active during the past fall and used well over 7,000 different domain names and 44 IPs to spread their malware payloads.
43 of the 44 IPs led Cisco’s security team back to one ASN (Autonomous System Number), based in the US and Holland, using the 35415 code, and later identified as the Webzilla Web hosting provider.
Webzilla was very cooperative right from the get-go, and quickly identified the IP range as being part of an IP block leased to another ISP, Russia-based Eurobyte.
On the other hand, Eurobyte was totally unresponsive to Cisco’s emails, and after several failed attempts to have the RIG exploit kit campaign taken down, Cisco decided to go public with their findings.
Cisco and OpenDNS, a company the former recently acquired, also decided to blacklist the IPs for a month on their network. This measure only protects Cisco and OpenDNS customers, but, unfortunately, leaves all other users vulnerable to attacks.
Leaf ISP providers are a problem for security companies
“We were able to inflict some damage to RIG during our investigation, but were unable to actually get the actors behind the activity stopped,” Cisco Talos researchers say.
“This underscores one of the major problems we face today, leaf providers,” researchers also added. “As providers could have multiple downstream leaf providers we find that we routinely have success in dealing with larger providers. These providers help get systems shut down, but without the cooperation of the smaller downstream providers the adversaries just stand up new servers and move on.”
In October 2015, Cisco’s researchers also thwarted the activity of another group of cyber-criminals, responsible for 50% of all deployments of ransomware via the Angler exploit kit, who made around 34 million / €30 million from their activities.