topic Odd that everyone is saying in Network Security

Cryptowall

Jhun Banzuela — Sun, 10 Mar 2019 13:16:53 GMT

Hi,

I am receiving alerts related to Cryptowall signature which was newly release. The detection are from Internal source.

I am wondering if this is also the same with BASH vulnerability signature which was revised due to false positives detection.

I'm seeing 100's of IP's

bdsmith — Mon, 10 Nov 2014 13:23:25 GMT

I'm seeing 100's of IP's being flagged by signature 4777/3, but so far all the systems that have been checked have been found not to have cryptowall. I believe we are seeing false positives.

I've also seen a few of these

mitchen — Mon, 10 Nov 2014 16:21:50 GMT

I've also seen a few of these alerts coming in since the new S834 release and found no cryptowall on the triggering systems either so these do seem to be false positives. Is it advisable that we disable this signature for the time being or is there a safer way to fine tune it to avoid these false positives?

We're seeing the same thing.

ADAM PYNE — Mon, 10 Nov 2014 20:01:39 GMT

We're seeing the same thing. The traffic that is triggering the alerts are web requests sent to various advertisement sites. The uri's seem to match the pattern in the signature, although they look non-malicious.

We are seeing this today too.

Terry S — Tue, 11 Nov 2014 06:54:55 GMT

We are seeing this today too. A few do seem to go to ad sites...others do not. Computers scanned with the latest Malwarebytes and Symantec show up clean. .

Hi,Our IPS shows this alert

Vld Fuib — Tue, 11 Nov 2014 07:59:15 GMT

Hi,
Our IPS shows this alert too.
Victim from LAN sends HTTP GET request to different advertisement sites.
This looks like FP but I found some recent threads/posts/blogs about "Malvertising" campaign created to "infect unsuspecting visitors with CryptoWall 2.0 ransomware on sites such as Yahoo, The Atlantic and AOL":
1. http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
2. http://forums.cnet.com/7723-6132_102-629128/malvertising-campaign-on-yahoo-aol-triggers-cryptowall/
3. http://threatpost.com/malvertising-campaign-on-yahoo-aol-triggers-cryptowall-infections/108987
Etc.
Therefore, behavior of victim seems suspicious.

Ours began tripping and

bradlesw1 — Tue, 11 Nov 2014 15:33:20 GMT

Ours began tripping and showing the 4777/3 as well at around 10:50 EST on 11/10.

Same here, hundreds of web

Edward Urban — Tue, 11 Nov 2014 17:24:00 GMT

Same here, hundreds of web request getting flagged as if we're attacking these sites, but all the packets are my clients requesting from them. There are alphanumeric strings that seem to match the signature of an attack, but to me they seem to be more of cookie junk. Other times, it's a simple html request with nothing that seems like it could match. I get a range of it being well-known websites like National Geographic or Yahoo, to several ad sites. Pretty certain all are false positives.

The same thing is happening

christopher.diakiw — Wed, 12 Nov 2014 05:48:54 GMT

The same thing is happening on our IPS, it is detecting traffic coming from our IronPort Web Filter which is apparently attacking Random Sites since the 10th of November.

Any news from Cisco in regards to this being a false positive, as there are a few people in our organisation getting excited about this.

Update your signatures, the

Edward Urban — Wed, 12 Nov 2014 22:11:20 GMT

Update your signatures, the new signature is written to take into account the actual known C&C sites. It was updated last night it seems and I am no longer getting a flood.

Ours stopped as well. I

bradlesw1 — Thu, 13 Nov 2014 14:10:11 GMT

Ours stopped as well. I guess 834 started it and 835 stopped it.

Thanks Guys Ours has stopped

christopher.diakiw — Thu, 13 Nov 2014 23:17:20 GMT

Thanks Guys

Ours has stopped now after the signatures were updated.

Odd that everyone is saying

ebell — Fri, 14 Nov 2014 16:56:18 GMT

Odd that everyone is saying that these are false positives. Our IPS alerted about a number of hosts, an AV scan found crytpowall on all of the hosts that IPS has reported. Furthur analysis discovered that the malware was being served from the ads on trusted sites. The advertisements exploited vulnerability in flash player and injected itself into iexplorer process without any interaction from the user. Our AV did not detect the initial injection as it does not have heuristics. I have not received any alerts since the signature was updated, I hope that it is still doing its job.