Adobe’s Continuing Affair with Angler and Cryptowall

The latest Adobe Flash Player update has once again proven problematic.  We have discovered yet another revision of a pre-existing Angler Exploit Kit disseminating Cryptowall.  A customer’s host was compromised following Angler Exploit redirects, dated June 1, 2015, June 16, 2015, and June 30th, 2015, showing that as new adaptations of the kit are added, the older ones are still in use.  The latest, June 30th, is more recent than the most up to date patch for Adobe Flash Player 17, version 17.0.0.19.  “Customers that are enrolled in “Allow Adobe to Install Updates (recommended)” but have not updated to Flash Player version 18 will receive a new and secure version of Flash Player 17 over the next 24 hours. ”

MetaFlows customers are encouraged to enable automatic blocking for Level 1 Events, which currently include the Angler Exploit rules (http://nsm.metaflows.com/sid_priority.map), or creating specific block rules to match Angler EK events.

The figure shows an example of the events that are triggered during an Angler Exploit attempt and infection with Cryptowall.

Selection_135

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s