Talos is constantly monitoring the threat landscape and exploit kits are a constantly evolving component of it. An ongoing goal of Talos is to expose and disrupt these kits to protect the average internet user being targeted and compromised. We were able to gain unprecedented insight into Angler exploit kit and reveal details of the activity that were previously unknown. Now we have focused our attention on the Nuclear exploit kit with similar results.
Nuclear exploit kit has been steadily compromising users for years and has been effective in evolving as well as adding new exploits to their arsenal. However, it has been operating largely off the radar compared to some of the more prolific kits that are active today. This lack of deep visibility was one of the driving forces behind the deep investigation into its activity. What we found was a sophisticated threat that has been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries.
We continued digging through our data and wound up with a list of 10-15 IP's that were hosting the Nuclear EK. This allowed us to focus on the providers hosting the activity. At this point the first key piece was identified: DigitalOcean. We were able to determine that practically all the Nuclear activity we were tracking was being hosted by DigitalOcean. Talos established contact with DigitalOcean and notified them of the activity and the details associated with the threat. DigitalOcean's security team validated the malicious nature of the hosts and collaborated with Talos to provide valuable intel, during the take down, to help expose how the kit operates.