Educause Security Discussion mailing list archives
Re: Cryptowall and Flash
From: H Morrow Long <morrow.long () YALE EDU>
Date: Mon, 13 Jul 2015 15:13:05 -0400
Livio --
This is a new exploit hitting fully patched Flash (version 17) released on
6/23.
There might not be any available Flash patches for this new exploit.
There was a new Adobe Flash Player update released on July 8th -- https://helpx.adobe.com/security/products/flash-player/apsb15-16.html <redir.aspx?SURL=NAPDJbU1-Na4llN9iQy3qADgKcpXtx4A6dotQnUYpxLQu5e1tovSCGgAdAB0AHAAcwA6AC8ALwBoAGUAbABwAHgALgBhAGQAbwBiAGUALgBjAG8AbQAvAHMAZQBjAHUAcgBpAHQAeQAvAHAAcgBvAGQAdQBjAHQAcwAvAGYAbABhAHMAaAAtAHAAbABhAHkAZQByAC8AYQBwAHMAYgAxADUALQAxADYALgBoAHQAbQBsAA..&URL=https%3a%2f%2fhelpx.adobe.com%2fsecurity%2fproducts%2fflash-player%2fapsb15-16.html> The Zero Day (on 7/7) exploit is currently in the wild on the Internet as many have not yet installed this patch. - Morrow On Mon, Jul 13, 2015 at 2:06 PM, Livio Ricciulli <livio () metaflows com> wrote:
[image: MetaFlows Logo] *Evolve Your Network Security* Hello, I wanted to alert you that we have seen several infections with Cryptowall. It appears that: - This is a new exploit hitting fully patched Flash (version 17) released on 6/23. There might not be any available Flash patches for this new exploit. - It seems that the source of the Flash exploit comes from the same host static.140.245.9.176.clients.your-server.de, <https://urldefense.proofpoint.com/v2/url?u=https-3A__nsm.metaflows.com_sockets_historical.php-3Fw-3Dany-26p-3D1d-26hashT-3Dh1agg-26srca-3D139.182.96.115-23176.9.245.140&d=AwMCaQ&c=-dg2m7zWuuDZ0MUcV7Sdqw&r=fLmankr7CvzZarVeNVPoo8kyftZjAzLTx_VQwGbDDBY&m=DGcadbGqK91u1YeKCfaReH2KqJoradAIhhWOKXTIjrY&s=MU_Bn3p1lBP1ZCzsfs-FuIaLLWNYMkReQMkt_IkXID0&e=>It will probably not be the case in the near future. - Look for Angler EK in your IDS alerts; it is a very significant red flag. The Cryptowall is triggering the following ET Pro IDS alerts: - snort-bad-unknown (27) - policy (4) - 1.2019401:ET POLICY Vulnerable Java Version 1.8.x Detected Extra Information (4) - trojan (23) - 1.2020822:ET TROJAN HTTP POST to WP Theme Directory Without Referer (23) - snort-policy-violation/policy (1) - 1.2808413:ETPRO POLICY telize.com IP lookup (1) - snort-trojan-activity (34) - emerging-trojan (24) - 1.2018452:ET TROJAN CryptoWall Check-in (24) - current_events (9) - 1.2021280:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 16 M2 (1) - 1.2811284:ETPRO CURRENT_EVENTS Angler EK Flash Exploit M2 (1) - 1.2811526:ETPRO CURRENT_EVENTS Possible Angler EK Flash Exploit June 16 2015 M1 (1) - 1.2811529:ETPRO CURRENT_EVENTS Possible Angler EK Payload June 16 2015 M2 (1) - 1.2021360:ET CURRENT_EVENTS Angler EK XTEA encrypted binary 26 (1) - 1.2021338:ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 10 2015 (1) - 1.2811660:ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015 (1) - 1.2811779:ETPRO CURRENT_EVENTS Angler EK Landing June 30 2015 M6 (1) - 1.2811528:ETPRO CURRENT_EVENTS Possible Angler EK Landing May 16 M2 (1) - policy (1) - 1.2020105:ET POLICY Possible IP Check ip-addr.es Extra Information (1) - snort-shellcode-detect/emerging-shellcode (1) - 1.2013222:ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt (1) We hope you find this information useful, Livio. -- Livio Ricciulli MetaFlows Inc w +1(408) 457-1895 m +1(408) 835-5005
Current thread:
- Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash Frank Barton (Jul 15)
- Re: Cryptowall and Flash Kevin Reedy (Jul 16)
- Re: Cryptowall and Flash Tevlin, Dave (Jul 16)
- Re: Cryptowall and Flash Livio Ricciulli (Jul 13)
- Re: Cryptowall and Flash H Morrow Long (Jul 13)
- Re: Cryptowall and Flash Ted Pham (Jul 13)