http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html
Latest 0-day flash exploit from HT is being used in Exploit Kits (Angler and Neutrino) and is dropping CryptoWall. We’ve seen the best way to fight ransomware is to put in effective reactionary defenses. 1. Use ePO to detect on key IoC’s (Indicators of Compromise) a. Filenames detected as containing _decrypt, _restore, etc. b. Threat names with “ransom/Ransom” c. Increase logging of important registry locations (startup,etc) d. Monitor AppData, Temp Folders for dropped files 2. Block web pages classified as “Dynamic Content or Newly Registered Domains” (Websense) a. Look for ipinfo.io/ip 3. Patch Flash/Java 4. Use your SIEM to monitor for the above, then enforce a quarantine policy via tagging with ePO (which is possible with McAfee ESM) 5. Have good backups. We had an incident this morning where a user was infected off the network via the exploit mentioned above, then once they plugged into the network and ePO saw the IOC’s, the system was quarantined automatically (no network share write and 80/443 access blocked) without admin interaction. Here’s a good resource (May 2015) about the different exploit kits and what CVE’s they use http://contagiodump.blogspot.ca/2010/06/overview-of-exploit-packs-update.html http://contagiodata.blogspot.com/2014/12/exploit-kits-2014.html Hope this helps. Rob. From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Link Sent: Wednesday, July 08, 2015 10:43 AM To: [email protected] Subject: Re: [NTSysADM] OT: VirusScanning software So, we just got hit with a Croptywall variant with SRP in place. I didn't disbelieve you Susan, I was just hoping that we could avoid infection until I got a true whitelisting solution in place. Oh and I'm on vacation, so this is extra fun to restore backups via the VPN. Luckily we have other systems in place that mitigated the extent of damage, such as really good backups, and tested restore procedures. On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley <[email protected]<mailto:[email protected]>> wrote: I have many consultant stories of ransomware nailing clients with software restriction policies in place - especially the web cocktail variants. Applocker/whitelisting = Enterprise SKUs. Which I hardly ever see in my space, nor does the customer base afford the time and effort. Great if you have the budget to do it, sucks if you don't have the licenses and infrastructure. On 7/3/2015 11:54 AM, Jonathan Link wrote: I was posting from my phone in a hurry, DYAC. Software Restriction, not proper pixies. Susan, I haven't seen an executable run in any location that has been blocked by SRP. IF you have a very narrow whitelist, it helps a lot. On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link <[email protected]<mailto:[email protected]>> wrote: You can also use proper pixies to restrict where software can run. I've blocked the user profile folder and added an exception for the desktop and a couple of other places that I can't recall. Users have to move downloaded apps to ther desktop to install. I haven't had a Cryptowall infection in 2 years. On Friday, July 3, 2015, Susan Bradley <[email protected]<mailto:[email protected]>> wrote: It changes so fast that as soon as they do the bad guys code up something new. there's no silver bullet here. Silverlight/flash/java. Use it,patch it or lose it. Web filtering at the firewall. If your firewall doesn't provide web filtering/UTM options it's time to upgrade. Home users look at OpenDNS (yes even now that Cisco is buying them) Filter attachments/zips. Least priv/non admin. Block the app location (yes this impacts firefox and office installs) Google foolishit for non domain or cryptolocker group policy toolkit Education to your users that that email you got isn't a legit email. On 7/3/2015 10:09 AM, David McSpadden wrote: Quick, anyone know of a VirusScanning software that is catching CryptoWall 3.0 yet? David McSpadden Systems Administrator Indiana Members Credit Union P: 317.554.8190<tel:317.554.8190> | F: 317.554.8106<tel:317.554.8106> [Description: imcu email icon]<http://imcu.com/> [Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU> [Description: twitter email icon] <https://twitter.com/IndMembersCU> [Description: email logo] [mcp2] This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. IMPORTANT NOTICE: Without the use of secure encryption, the Internet is not a secure medium and privacy cannot be ensured. Internet e-mail is vulnerable to interception, misuse and forging. Equitable cannot ensure the privacy and authenticity of any information sent by way of the public Internet. Equitable will not be responsible for any damages you may incur if you communicate confidential and personal information to us over the Internet or if we communicate such information to you at your request. This e-mail and any attachments are confidential, may be covered by legal professional privilege or exempt from disclosure under applicable law, and are intended for the addressee only. If you are not the intended recipient, you are not authorized to and must not disclose, copy, distribute or retain any or part of this e-mail and any attachments without written permission of The Equitable Life Insurance Company of Canada.
