Re: Cryptowall and Flash

["Tevlin, Dave" <dtevlin () VISI ORG>]

Kevin,

IE 10 and 11 both auto-update Flash. For our install base we are rolling
out MS EMET 5.2 (and newer versions as released) that helps to mitigate
some of the zero-day flaws in Flash as well as Java. We beta tested this
with our admin team last school year.

EMET is also a must install for those few applications that require
specific versions of Java in order to run; like all our HVAC control
systems.

What irks me is why VMware choose Flash to use that for their Admin
interface despite the fact that they built out an HTML 5 interface for
their new EVO:Rail product.

Dave Tevlin
Network/ Systems Administrator
Georgetown Visitation Prep School

On Thu, Jul 16, 2015 at 9:48 AM, Kevin Reedy <KReedy () excelsior edu> wrote:

> Unfortunately for us, we deliver some of our online content in Flash still.
> We will need to migrate all of our offerings to HTML 5 before we are able
> to retire Flash for the institution.
>
> Now that both Chrome and Firefox are more or less blocking outdated
> versions of flash we just need Redmond to jump in and offer something
> similar.  I'm not holding my breath for that.
>
> -Kevin
>
> Kevin Reedy
> Executive Director, Information Security
> Excelsior College
> (518) 464-8720
>
>
>
> From:   Frank Barton <bartonf () HUSSON EDU>
> To:     SECURITY () LISTSERV EDUCAUSE EDU,
> Date:   07/15/2015 05:44 PM
> Subject:        Re: [SECURITY] Cryptowall and Flash
> Sent by:        The EDUCAUSE Security Constituent Group Listserv
>             <SECURITY () LISTSERV EDUCAUSE EDU>
>
>
>
> We're currently in the process of evaluating where we want to go with Adobe
> Flash player. Trying to decide if we want to continue to deal with the
> Update H**l that it has become, or if we want to face the slings and arrows
> that will come our way if we pull it from all machines.
>
> How have other institutions decided to go, specifically regarding this
> latest batch of vulnerabilities?
>
> Thank You
> Frank
>
> On Mon, Jul 13, 2015 at 4:19 PM, Livio Ricciulli <livio () metaflows com>
> wrote:
>   Maybe we'll have better luck with version 18..
>   It would be good to monitor the Angler EK alerts no matter what..
>
>   On 07/13/2015 12:13 PM, H Morrow Long wrote:
>         Livio --
>
>         >This is a new exploit hitting fully patched Flash (version 17)
>         released on 6/23.
>         >There might not be any available Flash patches for this new
>         exploit.
>
>         There was a new Adobe Flash Player update released on July 8th --
>
> https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
>
>         The Zero Day (on 7/7) exploit is currently in the wild on the
>         Internet as many have not yet installed this patch.
>
>         - Morrow
>
>
>
>         On Mon, Jul 13, 2015 at 2:06 PM, Livio Ricciulli <
>         livio () metaflows com> wrote:
>          MetaFlows Logo
>          Evolve Your Network Security
>
>  Hello, I wanted to alert you that we have seen several infections with
> Cryptowall. It appears
>  that:
>        This is a new exploit hitting fully patched Flash (version 17)
> released on 6/23. There
>        might not be any available Flash patches for this new exploit.
>        It seems that the source of the Flash exploit comes from the same
> host
>        static.140.245.9.176.clients.your-server.de, It will probably not
> be the case in the
>        near future.
>        Look for Angler EK in your IDS alerts; it is a very significant red
> flag.
>
>  The Cryptowall is triggering the following ET Pro IDS alerts:
>        snort-bad-unknown (27)
>              policy (4)
>                    1.2019401:ET POLICY Vulnerable Java Version 1.8.x
> Detected Extra Information
>                    (4)
>              trojan (23)
>                    1.2020822:ET TROJAN HTTP POST to WP Theme Directory
> Without Referer (23)
>        snort-policy-violation/policy (1)
>              1.2808413:ETPRO POLICY telize.com IP lookup (1)
>        snort-trojan-activity (34)
>              emerging-trojan (24)
>                    1.2018452:ET TROJAN CryptoWall Check-in (24)
>              current_events (9)
>                    1.2021280:ET CURRENT_EVENTS Angler EK XTEA encrypted
> binary 16 M2 (1)
>                    1.2811284:ETPRO CURRENT_EVENTS Angler EK Flash Exploit
> M2 (1)
>                    1.2811526:ETPRO CURRENT_EVENTS Possible Angler EK Flash
> Exploit June 16 2015
>                    M1 (1)
>                    1.2811529:ETPRO CURRENT_EVENTS Possible Angler EK
> Payload June 16 2015 M2
>                    (1)
>                    1.2021360:ET CURRENT_EVENTS Angler EK XTEA encrypted
> binary 26 (1)
>                    1.2021338:ET CURRENT_EVENTS Possible Evil Redirector
> Leading to EK June 10
>                    2015 (1)
>                    1.2811660:ETPRO CURRENT_EVENTS Angler EK Landing June 1
> 2015 (1)
>                    1.2811779:ETPRO CURRENT_EVENTS Angler EK Landing June
> 30 2015 M6 (1)
>                    1.2811528:ETPRO CURRENT_EVENTS Possible Angler EK
> Landing May 16 M2 (1)
>              policy (1)
>                    1.2020105:ET POLICY Possible IP Check ip-addr.es Extra
> Information (1)
>        snort-shellcode-detect/emerging-shellcode (1)
>              1.2013222:ET SHELLCODE Excessive Use of HeapLib Objects
> Likely Malicious Heap
>              Spray Attempt (1)
>
>  We hope you find this information useful,
>
>  Livio.
>
>
>
>
>
>          --
>          Livio Ricciulli
>          MetaFlows Inc
>          w +1(408) 457-1895
>          m +1(408) 835-5005
>
>
>
>   --
>   Livio Ricciulli
>   MetaFlows Inc
>   w +1(408) 457-1895
>   m +1(408) 835-5005
>
>
>
> --
> Frank Barton
> ACMT
> IT Systems Administrator
> Husson University
>
>
> This message and any attachments contain confidential  Excelsior College
> information intended for the specific individual and purpose. If you are
> not the intended recipient, you should notify the College and delete this
> message. Any disclosure, copying, distribution or inappropriate use of this
> message is strictly prohibited.