By now most CISOs know that criminals as well as corporations are leveraging software-as-a-service. This week Check Point Software released a report looking at how the Nuclear exploit kit, which it says was one of the world’s largest attack infrastructures until it shut down recently amid exposure by security researchers at Check Point and Cisco Systems.
Cisco estimated attackers using Nuclear have been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries including Canada. Check Point last month Nuclear attacked close to 1,85 million machines around the world, with almost 10 per cent of them being infected.
As the Check Point report explains, Nuclear is rented to cybercriminals for a few thousand dollars a month. Researchers discovered it had 15 active control panels (so 15 attackers could be using it at a time) suggesting organizers — suspected to be in Russia — could have been pulling in US$100,000 a month.
In operation the service provider owns the master server, which controls the 15 attacker servers. Each attacker receives his own Nuclear control panel, where the campaign can be viewed and managed. Each server has a number of landing page servers. Unsuspecting users are directed to these compromised Website servers to be infected.
Internet service providers also have to take notice, because often they are unwitting hosts to malware as a service. Cisco researchers complied a list of around a dozen IPs that were hosting the Nuclear exploit kit. One of them helped with the take down on its servers and with data showing how the kit operates.