Educause Security Discussion mailing list archives
Re: Cryptowall and Flash
From: Frank Barton <bartonf () HUSSON EDU>
Date: Wed, 15 Jul 2015 13:08:59 -0400
We're currently in the process of evaluating where we want to go with Adobe Flash player. Trying to decide if we want to continue to deal with the Update H**l that it has become, or if we want to face the slings and arrows that will come our way if we pull it from all machines. How have other institutions decided to go, specifically regarding this latest batch of vulnerabilities? Thank You Frank On Mon, Jul 13, 2015 at 4:19 PM, Livio Ricciulli <livio () metaflows com> wrote:
Maybe we'll have better luck with version 18.. It would be good to monitor the Angler EK alerts no matter what.. On 07/13/2015 12:13 PM, H Morrow Long wrote: Livio -- >This is a new exploit hitting fully patched Flash (version 17) released on 6/23.There might not be any available Flash patches for this new exploit.There was a new Adobe Flash Player update released on July 8th -- https://helpx.adobe.com/security/products/flash-player/apsb15-16.html <http://redir.aspx?SURL=NAPDJbU1-Na4llN9iQy3qADgKcpXtx4A6dotQnUYpxLQu5e1tovSCGgAdAB0AHAAcwA6AC8ALwBoAGUAbABwAHgALgBhAGQAbwBiAGUALgBjAG8AbQAvAHMAZQBjAHUAcgBpAHQAeQAvAHAAcgBvAGQAdQBjAHQAcwAvAGYAbABhAHMAaAAtAHAAbABhAHkAZQByAC8AYQBwAHMAYgAxADUALQAxADYALgBoAHQAbQBsAA..&URL=https%3a%2f%2fhelpx.adobe.com%2fsecurity%2fproducts%2fflash-player%2fapsb15-16.html> The Zero Day (on 7/7) exploit is currently in the wild on the Internet as many have not yet installed this patch. - Morrow On Mon, Jul 13, 2015 at 2:06 PM, Livio Ricciulli <livio () metaflows com> wrote:[image: MetaFlows Logo] *Evolve Your Network Security* Hello, I wanted to alert you that we have seen several infections with Cryptowall. It appears that: - This is a new exploit hitting fully patched Flash (version 17) released on 6/23. There might not be any available Flash patches for this new exploit. - It seems that the source of the Flash exploit comes from the same host static.140.245.9.176.clients.your-server.de, <https://urldefense.proofpoint.com/v2/url?u=https-3A__nsm.metaflows.com_sockets_historical.php-3Fw-3Dany-26p-3D1d-26hashT-3Dh1agg-26srca-3D139.182.96.115-23176.9.245.140&d=AwMCaQ&c=-dg2m7zWuuDZ0MUcV7Sdqw&r=fLmankr7CvzZarVeNVPoo8kyftZjAzLTx_VQwGbDDBY&m=DGcadbGqK91u1YeKCfaReH2KqJoradAIhhWOKXTIjrY&s=MU_Bn3p1lBP1ZCzsfs-FuIaLLWNYMkReQMkt_IkXID0&e=>It will probably not be the case in the near future. - Look for Angler EK in your IDS alerts; it is a very significant red flag. The Cryptowall is triggering the following ET Pro IDS alerts: - snort-bad-unknown (27) - policy (4) - 1.2019401:ET POLICY Vulnerable Java Version 1.8.x Detected Extra Information (4) - trojan (23) - 1.2020822:ET TROJAN HTTP POST to WP Theme Directory Without Referer (23) - snort-policy-violation/policy (1) - 1.2808413:ETPRO POLICY telize.com IP lookup (1) - snort-trojan-activity (34) - emerging-trojan (24) - 1.2018452:ET TROJAN CryptoWall Check-in (24) - current_events (9) - 1.2021280:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 16 M2 (1) - 1.2811284:ETPRO CURRENT_EVENTS Angler EK Flash Exploit M2 (1) - 1.2811526:ETPRO CURRENT_EVENTS Possible Angler EK Flash Exploit June 16 2015 M1 (1) - 1.2811529:ETPRO CURRENT_EVENTS Possible Angler EK Payload June 16 2015 M2 (1) - 1.2021360:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 26 (1) - 1.2021338:ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 10 2015 (1) - 1.2811660:ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015 (1) - 1.2811779:ETPRO CURRENT_EVENTS Angler EK Landing June 30 2015 M6 (1) - 1.2811528:ETPRO CURRENT_EVENTS Possible Angler EK Landing May 16 M2 (1) - policy (1) - 1.2020105:ET POLICY Possible IP Check ip-addr.es Extra Information (1) - snort-shellcode-detect/emerging-shellcode (1) - 1.2013222:ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt (1) We hope you find this information useful, Livio. -- Livio Ricciulli MetaFlows Inc w +1(408) 457-1895 m +1(408) 835-5005-- Livio Ricciulli MetaFlows Inc w +1(408) 457-1895 m +1(408) 835-5005
-- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash Frank Barton (Jul 15)
- Re: Cryptowall and Flash Kevin Reedy (Jul 16)
- Re: Cryptowall and Flash Tevlin, Dave (Jul 16)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Ted Pham (Jul 13)