I am receiving alerts related to Cryptowall signature which was newly release. The detection are from Internal source.
I am wondering if this is also the same with BASH vulnerability signature which was revised due to false positives detection.
I'm seeing 100's of IP's being flagged by signature 4777/3, but so far all the systems that have been checked have been found not to have cryptowall. I believe we are seeing false positives.
I've also seen a few of these alerts coming in since the new S834 release and found no cryptowall on the triggering systems either so these do seem to be false positives. Is it advisable that we disable this signature for the time being or is there a safer way to fine tune it to avoid these false positives?
We're seeing the same thing. The traffic that is triggering the alerts are web requests sent to various advertisement sites. The uri's seem to match the pattern in the signature, although they look non-malicious.
We are seeing this today too. A few do seem to go to ad sites...others do not. Computers scanned with the latest Malwarebytes and Symantec show up clean. .
Same here, hundreds of web request getting flagged as if we're attacking these sites, but all the packets are my clients requesting from them. There are alphanumeric strings that seem to match the signature of an attack, but to me they seem to be more of cookie junk. Other times, it's a simple html request with nothing that seems like it could match. I get a range of it being well-known websites like National Geographic or Yahoo, to several ad sites. Pretty certain all are false positives.
Our IPS shows this alert too.
Victim from LAN sends HTTP GET request to different advertisement sites.
This looks like FP but I found some recent threads/posts/blogs about "Malvertising" campaign created to "infect unsuspecting visitors with CryptoWall 2.0 ransomware on sites such as Yahoo, The Atlantic and AOL":
Therefore, behavior of victim seems suspicious.
The same thing is happening on our IPS, it is detecting traffic coming from our IronPort Web Filter which is apparently attacking Random Sites since the 10th of November.
Any news from Cisco in regards to this being a false positive, as there are a few people in our organisation getting excited about this.
Update your signatures, the new signature is written to take into account the actual known C&C sites. It was updated last night it seems and I am no longer getting a flood.
Odd that everyone is saying that these are false positives. Our IPS alerted about a number of hosts, an AV scan found crytpowall on all of the hosts that IPS has reported. Furthur analysis discovered that the malware was being served from the ads on trusted sites. The advertisements exploited vulnerability in flash player and injected itself into iexplorer process without any interaction from the user. Our AV did not detect the initial injection as it does not have heuristics. I have not received any alerts since the signature was updated, I hope that it is still doing its job.