Re: Cryptowall and Flash

[H Morrow Long <morrow.long () YALE EDU>]

Livio --

> This is a new exploit hitting fully patched Flash (version 17) released on
6/23.
> There might not be any available Flash patches for this new exploit.

There was a new Adobe Flash Player update released on July 8th --
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
<redir.aspx?SURL=NAPDJbU1-Na4llN9iQy3qADgKcpXtx4A6dotQnUYpxLQu5e1tovSCGgAdAB0AHAAcwA6AC8ALwBoAGUAbABwAHgALgBhAGQAbwBiAGUALgBjAG8AbQAvAHMAZQBjAHUAcgBpAHQAeQAvAHAAcgBvAGQAdQBjAHQAcwAvAGYAbABhAHMAaAAtAHAAbABhAHkAZQByAC8AYQBwAHMAYgAxADUALQAxADYALgBoAHQAbQBsAA..&URL=https%3a%2f%2fhelpx.adobe.com%2fsecurity%2fproducts%2fflash-player%2fapsb15-16.html>

The Zero Day (on 7/7) exploit is currently in the wild on the Internet as
many have not yet installed this patch.

- Morrow



On Mon, Jul 13, 2015 at 2:06 PM, Livio Ricciulli <livio () metaflows com>
wrote:

>  [image: MetaFlows Logo]
> *Evolve Your Network Security*
>
>    Hello, I wanted to alert you that we have seen several infections with
> Cryptowall. It appears that:
>
>    - This is a new exploit hitting fully patched Flash (version 17)
>    released on 6/23. There might not be any available Flash patches for this
>    new exploit.
>    - It seems that the source of the Flash exploit comes from the same
>    host static.140.245.9.176.clients.your-server.de,
>    
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nsm.metaflows.com_sockets_historical.php-3Fw-3Dany-26p-3D1d-26hashT-3Dh1agg-26srca-3D139.182.96.115-23176.9.245.140&d=AwMCaQ&c=-dg2m7zWuuDZ0MUcV7Sdqw&r=fLmankr7CvzZarVeNVPoo8kyftZjAzLTx_VQwGbDDBY&m=DGcadbGqK91u1YeKCfaReH2KqJoradAIhhWOKXTIjrY&s=MU_Bn3p1lBP1ZCzsfs-FuIaLLWNYMkReQMkt_IkXID0&e=>It
>    will probably not be the case in the near future.
>    - Look for Angler EK in your IDS alerts; it is a very significant red
>    flag.
>
>   The Cryptowall is triggering the following ET Pro IDS alerts:
>
>    - snort-bad-unknown (27)
>       - policy (4)
>          - 1.2019401:ET POLICY Vulnerable Java Version 1.8.x Detected Extra
>          Information (4)
>        - trojan (23)
>          - 1.2020822:ET TROJAN HTTP POST to WP Theme Directory Without
>          Referer (23)
>         - snort-policy-violation/policy (1)
>       - 1.2808413:ETPRO POLICY telize.com IP lookup (1)
>     - snort-trojan-activity (34)
>       - emerging-trojan (24)
>          - 1.2018452:ET TROJAN CryptoWall Check-in (24)
>        - current_events (9)
>          - 1.2021280:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 16
>          M2 (1)
>          - 1.2811284:ETPRO CURRENT_EVENTS Angler EK Flash Exploit M2 (1)
>          - 1.2811526:ETPRO CURRENT_EVENTS Possible Angler EK Flash
>          Exploit June 16 2015 M1 (1)
>          - 1.2811529:ETPRO CURRENT_EVENTS Possible Angler EK Payload June
>          16 2015 M2 (1)
>          - 1.2021360:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 26
>          (1)
>          - 1.2021338:ET CURRENT_EVENTS Possible Evil Redirector Leading
>          to EK June 10 2015 (1)
>          - 1.2811660:ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015
>          (1)
>          - 1.2811779:ETPRO CURRENT_EVENTS Angler EK Landing June 30 2015
>          M6 (1)
>          - 1.2811528:ETPRO CURRENT_EVENTS Possible Angler EK Landing May
>          16 M2 (1)
>        - policy (1)
>          - 1.2020105:ET POLICY Possible IP Check ip-addr.es Extra
>          Information (1)
>         - snort-shellcode-detect/emerging-shellcode (1)
>       - 1.2013222:ET SHELLCODE Excessive Use of HeapLib Objects Likely
>       Malicious Heap Spray Attempt (1)
>
>   We hope you find this information useful,
>
> Livio.
>
>
> --
> Livio Ricciulli
> MetaFlows Inc
> w +1(408) 457-1895
> m +1(408) 835-5005