Educause Security Discussion mailing list archives
Re: Cryptowall and Flash
From: Kevin Reedy <KReedy () EXCELSIOR EDU>
Date: Thu, 16 Jul 2015 09:48:18 -0400
Unfortunately for us, we deliver some of our online content in Flash still.
We will need to migrate all of our offerings to HTML 5 before we are able
to retire Flash for the institution.
Now that both Chrome and Firefox are more or less blocking outdated
versions of flash we just need Redmond to jump in and offer something
similar. I'm not holding my breath for that.
-Kevin
Kevin Reedy
Executive Director, Information Security
Excelsior College
(518) 464-8720
From: Frank Barton <bartonf () HUSSON EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU,
Date: 07/15/2015 05:44 PM
Subject: Re: [SECURITY] Cryptowall and Flash
Sent by: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
We're currently in the process of evaluating where we want to go with Adobe
Flash player. Trying to decide if we want to continue to deal with the
Update H**l that it has become, or if we want to face the slings and arrows
that will come our way if we pull it from all machines.
How have other institutions decided to go, specifically regarding this
latest batch of vulnerabilities?
Thank You
Frank
On Mon, Jul 13, 2015 at 4:19 PM, Livio Ricciulli <livio () metaflows com>
wrote:
Maybe we'll have better luck with version 18..
It would be good to monitor the Angler EK alerts no matter what..
On 07/13/2015 12:13 PM, H Morrow Long wrote:
Livio --
>This is a new exploit hitting fully patched Flash (version 17)
released on 6/23.
>There might not be any available Flash patches for this new
exploit.
There was a new Adobe Flash Player update released on July 8th --
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
The Zero Day (on 7/7) exploit is currently in the wild on the
Internet as many have not yet installed this patch.
- Morrow
On Mon, Jul 13, 2015 at 2:06 PM, Livio Ricciulli <
livio () metaflows com> wrote:
MetaFlows Logo
Evolve Your Network Security
Hello, I wanted to alert you that we have seen several infections with Cryptowall. It appears
that:
This is a new exploit hitting fully patched Flash (version 17) released on 6/23. There
might not be any available Flash patches for this new exploit.
It seems that the source of the Flash exploit comes from the same host
static.140.245.9.176.clients.your-server.de, It will probably not be the case in the
near future.
Look for Angler EK in your IDS alerts; it is a very significant red flag.
The Cryptowall is triggering the following ET Pro IDS alerts:
snort-bad-unknown (27)
policy (4)
1.2019401:ET POLICY Vulnerable Java Version 1.8.x Detected Extra Information
(4)
trojan (23)
1.2020822:ET TROJAN HTTP POST to WP Theme Directory Without Referer (23)
snort-policy-violation/policy (1)
1.2808413:ETPRO POLICY telize.com IP lookup (1)
snort-trojan-activity (34)
emerging-trojan (24)
1.2018452:ET TROJAN CryptoWall Check-in (24)
current_events (9)
1.2021280:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 16 M2 (1)
1.2811284:ETPRO CURRENT_EVENTS Angler EK Flash Exploit M2 (1)
1.2811526:ETPRO CURRENT_EVENTS Possible Angler EK Flash Exploit June 16 2015
M1 (1)
1.2811529:ETPRO CURRENT_EVENTS Possible Angler EK Payload June 16 2015 M2
(1)
1.2021360:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 26 (1)
1.2021338:ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 10
2015 (1)
1.2811660:ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015 (1)
1.2811779:ETPRO CURRENT_EVENTS Angler EK Landing June 30 2015 M6 (1)
1.2811528:ETPRO CURRENT_EVENTS Possible Angler EK Landing May 16 M2 (1)
policy (1)
1.2020105:ET POLICY Possible IP Check ip-addr.es Extra Information (1)
snort-shellcode-detect/emerging-shellcode (1)
1.2013222:ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap
Spray Attempt (1)
We hope you find this information useful,
Livio.
--
Livio Ricciulli
MetaFlows Inc
w +1(408) 457-1895
m +1(408) 835-5005
--
Livio Ricciulli
MetaFlows Inc
w +1(408) 457-1895
m +1(408) 835-5005
--
Frank Barton
ACMT
IT Systems Administrator
Husson University
This message and any attachments contain confidential Excelsior College information intended for the specific
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message.
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Current thread:
- Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash Frank Barton (Jul 15)
- Re: Cryptowall and Flash Kevin Reedy (Jul 16)
- Re: Cryptowall and Flash Tevlin, Dave (Jul 16)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Ted Pham (Jul 13)