11-09-2014 10:58 PM - edited 03-10-2019 06:16 AM
Hi,
I am receiving alerts related to Cryptowall signature which was newly release. The detection are from Internal source.
I am wondering if this is also the same with BASH vulnerability signature which was revised due to false positives detection.
11-10-2014 05:23 AM
I'm seeing 100's of IP's being flagged by signature 4777/3, but so far all the systems that have been checked have been found not to have cryptowall. I believe we are seeing false positives.
11-10-2014 08:21 AM
I've also seen a few of these alerts coming in since the new S834 release and found no cryptowall on the triggering systems either so these do seem to be false positives. Is it advisable that we disable this signature for the time being or is there a safer way to fine tune it to avoid these false positives?
11-10-2014 12:01 PM
We're seeing the same thing. The traffic that is triggering the alerts are web requests sent to various advertisement sites. The uri's seem to match the pattern in the signature, although they look non-malicious.
11-10-2014 10:54 PM
We are seeing this today too. A few do seem to go to ad sites...others do not. Computers scanned with the latest Malwarebytes and Symantec show up clean. .
11-11-2014 09:24 AM
Same here, hundreds of web request getting flagged as if we're attacking these sites, but all the packets are my clients requesting from them. There are alphanumeric strings that seem to match the signature of an attack, but to me they seem to be more of cookie junk. Other times, it's a simple html request with nothing that seems like it could match. I get a range of it being well-known websites like National Geographic or Yahoo, to several ad sites. Pretty certain all are false positives.
11-10-2014 11:59 PM
Hi,
Our IPS shows this alert too.
Victim from LAN sends HTTP GET request to different advertisement sites.
This looks like FP but I found some recent threads/posts/blogs about "Malvertising" campaign created to "infect unsuspecting visitors with CryptoWall 2.0 ransomware on sites such as Yahoo, The Atlantic and AOL":
1. http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
2. http://forums.cnet.com/7723-6132_102-629128/malvertising-campaign-on-yahoo-aol-triggers-cryptowall/
3. http://threatpost.com/malvertising-campaign-on-yahoo-aol-triggers-cryptowall-infections/108987
Etc.
Therefore, behavior of victim seems suspicious.
11-11-2014 07:33 AM
Ours began tripping and showing the 4777/3 as well at around 10:50 EST on 11/10.
11-11-2014 09:48 PM
The same thing is happening on our IPS, it is detecting traffic coming from our IronPort Web Filter which is apparently attacking Random Sites since the 10th of November.
Any news from Cisco in regards to this being a false positive, as there are a few people in our organisation getting excited about this.
11-12-2014 02:11 PM
Update your signatures, the new signature is written to take into account the actual known C&C sites. It was updated last night it seems and I am no longer getting a flood.
11-13-2014 06:10 AM
Ours stopped as well. I guess 834 started it and 835 stopped it.
11-13-2014 03:17 PM
Thanks Guys
Ours has stopped now after the signatures were updated.
11-14-2014 08:56 AM
Odd that everyone is saying that these are false positives. Our IPS alerted about a number of hosts, an AV scan found crytpowall on all of the hosts that IPS has reported. Furthur analysis discovered that the malware was being served from the ads on trusted sites. The advertisements exploited vulnerability in flash player and injected itself into iexplorer process without any interaction from the user. Our AV did not detect the initial injection as it does not have heuristics. I have not received any alerts since the signature was updated, I hope that it is still doing its job.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide