Educause Security Discussion mailing list archives
Re: Cryptowall and Flash
From: Kevin Reedy <KReedy () EXCELSIOR EDU>
Date: Thu, 16 Jul 2015 09:48:18 -0400
Unfortunately for us, we deliver some of our online content in Flash still. We will need to migrate all of our offerings to HTML 5 before we are able to retire Flash for the institution. Now that both Chrome and Firefox are more or less blocking outdated versions of flash we just need Redmond to jump in and offer something similar. I'm not holding my breath for that. -Kevin Kevin Reedy Executive Director, Information Security Excelsior College (518) 464-8720 From: Frank Barton <bartonf () HUSSON EDU> To: SECURITY () LISTSERV EDUCAUSE EDU, Date: 07/15/2015 05:44 PM Subject: Re: [SECURITY] Cryptowall and Flash Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> We're currently in the process of evaluating where we want to go with Adobe Flash player. Trying to decide if we want to continue to deal with the Update H**l that it has become, or if we want to face the slings and arrows that will come our way if we pull it from all machines. How have other institutions decided to go, specifically regarding this latest batch of vulnerabilities? Thank You Frank On Mon, Jul 13, 2015 at 4:19 PM, Livio Ricciulli <livio () metaflows com> wrote: Maybe we'll have better luck with version 18.. It would be good to monitor the Angler EK alerts no matter what.. On 07/13/2015 12:13 PM, H Morrow Long wrote: Livio -- >This is a new exploit hitting fully patched Flash (version 17) released on 6/23. >There might not be any available Flash patches for this new exploit. There was a new Adobe Flash Player update released on July 8th -- https://helpx.adobe.com/security/products/flash-player/apsb15-16.html The Zero Day (on 7/7) exploit is currently in the wild on the Internet as many have not yet installed this patch. - Morrow On Mon, Jul 13, 2015 at 2:06 PM, Livio Ricciulli < livio () metaflows com> wrote: MetaFlows Logo Evolve Your Network Security Hello, I wanted to alert you that we have seen several infections with Cryptowall. It appears that: This is a new exploit hitting fully patched Flash (version 17) released on 6/23. There might not be any available Flash patches for this new exploit. It seems that the source of the Flash exploit comes from the same host static.140.245.9.176.clients.your-server.de, It will probably not be the case in the near future. Look for Angler EK in your IDS alerts; it is a very significant red flag. The Cryptowall is triggering the following ET Pro IDS alerts: snort-bad-unknown (27) policy (4) 1.2019401:ET POLICY Vulnerable Java Version 1.8.x Detected Extra Information (4) trojan (23) 1.2020822:ET TROJAN HTTP POST to WP Theme Directory Without Referer (23) snort-policy-violation/policy (1) 1.2808413:ETPRO POLICY telize.com IP lookup (1) snort-trojan-activity (34) emerging-trojan (24) 1.2018452:ET TROJAN CryptoWall Check-in (24) current_events (9) 1.2021280:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 16 M2 (1) 1.2811284:ETPRO CURRENT_EVENTS Angler EK Flash Exploit M2 (1) 1.2811526:ETPRO CURRENT_EVENTS Possible Angler EK Flash Exploit June 16 2015 M1 (1) 1.2811529:ETPRO CURRENT_EVENTS Possible Angler EK Payload June 16 2015 M2 (1) 1.2021360:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 26 (1) 1.2021338:ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 10 2015 (1) 1.2811660:ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015 (1) 1.2811779:ETPRO CURRENT_EVENTS Angler EK Landing June 30 2015 M6 (1) 1.2811528:ETPRO CURRENT_EVENTS Possible Angler EK Landing May 16 M2 (1) policy (1) 1.2020105:ET POLICY Possible IP Check ip-addr.es Extra Information (1) snort-shellcode-detect/emerging-shellcode (1) 1.2013222:ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt (1) We hope you find this information useful, Livio. -- Livio Ricciulli MetaFlows Inc w +1(408) 457-1895 m +1(408) 835-5005 -- Livio Ricciulli MetaFlows Inc w +1(408) 457-1895 m +1(408) 835-5005 -- Frank Barton ACMT IT Systems Administrator Husson University This message and any attachments contain confidential Excelsior College information intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Current thread:
- Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash Frank Barton (Jul 15)
- Re: Cryptowall and Flash Kevin Reedy (Jul 16)
- Re: Cryptowall and Flash Tevlin, Dave (Jul 16)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Ted Pham (Jul 13)