Trend is catching it now. [cid:[email protected]] Behavior looked like the bad guys had mapped an H: drive to someplace on the InterWebs and was about to try and infect my machine.
From: [email protected] [mailto:[email protected]] On Behalf Of Gavin Wilby Sent: Thursday, July 09, 2015 4:51 AM To: '[email protected]' Subject: RE: [NTSysADM] OT: VirusScanning software Ninite Pro will give you a full function 7 day trial that will push Flash to the latest version across your domain (windows only). Im currently auditing now using this. Gavin Wilby IT Support Engineer From: [email protected] [mailto:[email protected]] On Behalf Of Erik Goldoff Sent: 08 July 2015 19:21 To: [email protected] Subject: Re: [NTSysADM] OT: VirusScanning software so has anyone come up with a script method of checking installed flash player versions ? I'm hunting the registry, but haven't found what I need yet. On Wed, Jul 8, 2015 at 1:10 PM, Ed Ziots <[email protected]<mailto:[email protected]>> wrote: The exploit kits.are.dropping.cryptowall 3.0 and.others due to 0 day in.flash which just.got.patched. I would.spend.time.dealing.with how many flash.installations are.not up.to<http://up.to> spec.and.get.those.patched.first.the.deal.with additonal.srp controlls. Ed On Jul 8, 2015 12:29 PM, "Kennedy, Jim" <[email protected]<mailto:[email protected]>> wrote: Chase down where the exe is as you dig through this. You will find it in the users profile in appdata most likely. Applock the user profile, all of it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jonathan Link Sent: Wednesday, July 8, 2015 12:24 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] OT: VirusScanning software That's my assessment as well. On Wed, Jul 8, 2015 at 12:17 PM, Susan Bradley <[email protected]<mailto:[email protected]>> wrote: If the infection occurred as soon as he attached to the network, I'm guessing he was already nailed and he just brought it in when he came in. On 7/8/2015 9:10 AM, Jonathan Link wrote: Well, he wasn't in the office for much of the past two days, so firewall logs are ineffective in this instance. It appears that the infection started as soon as his computer attached to the network. Browser history is a good place to look, but I can't access the machine without it being turned on and on the network (I'm on vacation) and that would be counterproductive at this point. I am hoping I can recover some of his data that was on the computer, but made him no promises. On Wed, Jul 8, 2015 at 11:55 AM, Susan Bradley <[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>> wrote: IE history Firewall logs Should help narrow it down. And we have a zero day flash being patched today. Expect a Microsoft patch for Windows 8 and above. On 7/8/2015 8:32 AM, Jonathan Link wrote: No, not yet. It's one of our directors, and he swears that the only site he visited within the last 24 hours was msn.com<http://msn.com> <http://msn.com> <http://msn.com>. So it could be the flash 0 day from an infected ad that wasn't caught? Of course, he might not be remembering something... It started working at around 8am this morning which is when he fired up his computer in the office. On Wed, Jul 8, 2015 at 11:08 AM, David McSpadden <[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>>> wrote: I know you are on vacation but do you know the attack vector? *From:*[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>> [mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>>] *On Behalf Of *Jonathan Link *Sent:* Wednesday, July 08, 2015 10:43 AM *To:* [email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>> *Subject:* Re: [NTSysADM] OT: VirusScanning software So, we just got hit with a Croptywall variant with SRP in place. I didn't disbelieve you Susan, I was just hoping that we could avoid infection until I got a true whitelisting solution in place. Oh and I'm on vacation, so this is extra fun to restore backups via the VPN. Luckily we have other systems in place that mitigated the extent of damage, such as really good backups, and tested restore procedures. On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley <[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>>> wrote: I have many consultant stories of ransomware nailing clients with software restriction policies in place - especially the web cocktail variants. Applocker/whitelisting = Enterprise SKUs. Which I hardly ever see in my space, nor does the customer base afford the time and effort. Great if you have the budget to do it, sucks if you don't have the licenses and infrastructure. On 7/3/2015 11:54 AM, Jonathan Link wrote: I was posting from my phone in a hurry, DYAC. Software Restriction, not proper pixies. Susan, I haven't seen an executable run in any location that has been blocked by SRP. IF you have a very narrow whitelist, it helps a lot. On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link <[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>>> wrote: You can also use proper pixies to restrict where software can run. I've blocked the user profile folder and added an exception for the desktop and a couple of other places that I can't recall. Users have to move downloaded apps to ther desktop to install. I haven't had a Cryptowall infection in 2 years. On Friday, July 3, 2015, Susan Bradley <[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>> <mailto:[email protected]<mailto:[email protected]> <mailto:[email protected]<mailto:[email protected]>>>> wrote: It changes so fast that as soon as they do the bad guys code up something new. there's no silver bullet here. Silverlight/flash/java. Use it,patch it or lose it. Web filtering at the firewall. If your firewall doesn't provide web filtering/UTM options it's time to upgrade. Home users look at OpenDNS (yes even now that Cisco is buying them) Filter attachments/zips. Least priv/non admin. Block the app location (yes this impacts firefox and office installs) Google foolishit for non domain or cryptolocker group policy toolkit Education to your users that that email you got isn't a legit email. On 7/3/2015 10:09 AM, David McSpadden wrote: Quick, anyone know of a VirusScanning software that is catching CryptoWall 3.0 yet? *David McSpadden* Systems Administrator Indiana Members Credit Union P: 317.554.8190<tel:317.554.8190> <tel:317.554.8190<tel:317.554.8190>> <tel:317.554.8190<tel:317.554.8190> <tel:317.554.8190<tel:317.554.8190>>> |F: 317.554.8106<tel:317.554.8106> <tel:317.554.8106<tel:317.554.8106>> <tel:317.554.8106<tel:317.554.8106> <tel:317.554.8106<tel:317.554.8106>>> Description: imcu email icon <http://imcu.com/> Description: facebook email icon <https://www.facebook.com/IndianaMembersCU> Description: twitter email icon <https://twitter.com/IndMembersCU> Description: email logo mcp2 This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are licensed by the Isle of Man Financial Supervision Commission. SMP Accounting & Tax Limited is a member of the ICAEW Practice Assurance Scheme. SMP Partners Limited registered in the Isle of Man, Company Registration No: 000908V Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott, S.J. Turner SMP Trustees Limited registered in the Isle of Man, Company Registration No: 068396C Directors: A.C. Baggesen, M.W. Denton, O. Peck, J.J. Scott, J. Watterson, J. Cubbon SMP Fund Services Limited registered in the Isle of Man, Company Registration No: 120288C Directors: V. Campbell, M.W. Denton, D.A. Manser, S.E McGowan, J.J. Scott, R.K. Corkill SMP Accounting & Tax Limited registered in the Isle of Man, Company Registration No: 001316V Directors: I.F. Begley, A.J. Dowling, P. Duchars, J.J. Scott, S.J. Turner SMP Capital Markets Limited registered in the Isle of Man, Company Registration No: 002438V Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, J.J. Scott. SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP Partners Group of Companies. This email is confidential and is subject to disclaimers. Details can be found at: http://www.smppartners.com/disclaimer.html ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
