Re: Cryptowall and Flash

[Frank Barton <bartonf () HUSSON EDU>]

We're currently in the process of evaluating where we want to go with Adobe
Flash player. Trying to decide if we want to continue to deal with the
Update H**l that it has become, or if we want to face the slings and arrows
that will come our way if we pull it from all machines.

How have other institutions decided to go, specifically regarding this
latest batch of vulnerabilities?

Thank You
Frank

On Mon, Jul 13, 2015 at 4:19 PM, Livio Ricciulli <livio () metaflows com>
wrote:

>  Maybe we'll have better luck with version 18..
> It would be good to monitor the Angler EK alerts no matter what..
>
> On 07/13/2015 12:13 PM, H Morrow Long wrote:
>
> Livio --
>
>  >This is a new exploit hitting fully patched Flash (version 17) released
> on 6/23.
> > There might not be any available Flash patches for this new exploit.
>
>  There was a new Adobe Flash Player update released on July 8th --
> https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
> <http://redir.aspx?SURL=NAPDJbU1-Na4llN9iQy3qADgKcpXtx4A6dotQnUYpxLQu5e1tovSCGgAdAB0AHAAcwA6AC8ALwBoAGUAbABwAHgALgBhAGQAbwBiAGUALgBjAG8AbQAvAHMAZQBjAHUAcgBpAHQAeQAvAHAAcgBvAGQAdQBjAHQAcwAvAGYAbABhAHMAaAAtAHAAbABhAHkAZQByAC8AYQBwAHMAYgAxADUALQAxADYALgBoAHQAbQBsAA..&URL=https%3a%2f%2fhelpx.adobe.com%2fsecurity%2fproducts%2fflash-player%2fapsb15-16.html>
>
>  The Zero Day (on 7/7) exploit is currently in the wild on the Internet
> as many have not yet installed this patch.
>
>  - Morrow
>
>
>
> On Mon, Jul 13, 2015 at 2:06 PM, Livio Ricciulli <livio () metaflows com>
> wrote:
>
> >  [image: MetaFlows Logo]
> > *Evolve Your Network Security*
> >
> >     Hello, I wanted to alert you that we have seen several infections
> > with Cryptowall. It appears that:
> >
> >    - This is a new exploit hitting fully patched Flash (version 17)
> >    released on 6/23. There might not be any available Flash patches for this
> >    new exploit.
> >    - It seems that the source of the Flash exploit comes from the same
> >    host static.140.245.9.176.clients.your-server.de,
> >    
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__nsm.metaflows.com_sockets_historical.php-3Fw-3Dany-26p-3D1d-26hashT-3Dh1agg-26srca-3D139.182.96.115-23176.9.245.140&d=AwMCaQ&c=-dg2m7zWuuDZ0MUcV7Sdqw&r=fLmankr7CvzZarVeNVPoo8kyftZjAzLTx_VQwGbDDBY&m=DGcadbGqK91u1YeKCfaReH2KqJoradAIhhWOKXTIjrY&s=MU_Bn3p1lBP1ZCzsfs-FuIaLLWNYMkReQMkt_IkXID0&e=>It
> >    will probably not be the case in the near future.
> >    - Look for Angler EK in your IDS alerts; it is a very significant red
> >    flag.
> >
> >   The Cryptowall is triggering the following ET Pro IDS alerts:
> >
> >    - snort-bad-unknown (27)
> >       - policy (4)
> >          - 1.2019401:ET POLICY Vulnerable Java Version 1.8.x Detected Extra
> >          Information (4)
> >        - trojan (23)
> >          - 1.2020822:ET TROJAN HTTP POST to WP Theme Directory Without
> >          Referer (23)
> >         - snort-policy-violation/policy (1)
> >       - 1.2808413:ETPRO POLICY telize.com IP lookup (1)
> >     - snort-trojan-activity (34)
> >       - emerging-trojan (24)
> >          - 1.2018452:ET TROJAN CryptoWall Check-in (24)
> >        - current_events (9)
> >          - 1.2021280:ET CURRENT_EVENTS Angler EK XTEA encrypted binary
> >          16 M2 (1)
> >          - 1.2811284:ETPRO CURRENT_EVENTS Angler EK Flash Exploit M2 (1)
> >          - 1.2811526:ETPRO CURRENT_EVENTS Possible Angler EK Flash
> >          Exploit June 16 2015 M1 (1)
> >          - 1.2811529:ETPRO CURRENT_EVENTS Possible Angler EK Payload
> >          June 16 2015 M2 (1)
> >          - 1.2021360:ET CURRENT_EVENTS Angler EK XTEA encrypted binary
> >          26 (1)
> >          - 1.2021338:ET CURRENT_EVENTS Possible Evil Redirector Leading
> >          to EK June 10 2015 (1)
> >          - 1.2811660:ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015
> >          (1)
> >          - 1.2811779:ETPRO CURRENT_EVENTS Angler EK Landing June 30 2015
> >          M6 (1)
> >          - 1.2811528:ETPRO CURRENT_EVENTS Possible Angler EK Landing May
> >          16 M2 (1)
> >        - policy (1)
> >          - 1.2020105:ET POLICY Possible IP Check ip-addr.es Extra
> >          Information (1)
> >         - snort-shellcode-detect/emerging-shellcode (1)
> >       - 1.2013222:ET SHELLCODE Excessive Use of HeapLib Objects Likely
> >       Malicious Heap Spray Attempt (1)
> >
> >   We hope you find this information useful,
> >
> > Livio.
> >
> >
> > --
> > Livio Ricciulli
> > MetaFlows Inc
> > w +1(408) 457-1895
> > m +1(408) 835-5005
>
>
> --
> Livio Ricciulli
> MetaFlows Inc
> w +1(408) 457-1895
> m +1(408) 835-5005


-- 
Frank Barton
ACMT
IT Systems Administrator
Husson University