We have recently discovered that several end user devices within our network have been attempting (successfully blocked by firewalls) to establish an outbound connection to an external IP Address (49.236.204.101) based in Malaysia. This is activity that we have not seen before so our cyber security team have investigated as we have deemed this activity as suspicious. Although this IP is considered not malicious on popular IP scanning sites like VirusTotal and AlienVault OTX, we have come to the conclusion that this IP is malicious due to having open ports used for Remote Access Tools on port 32754.
All of the devices attempting to establish this outbound communication are performing similar activity:
InitiatingProcessCommandLine: 1) "node.exe" "C:\Program Files\Adobe\Adobe Creative Cloud Experience\js\main.js" or 2) "node.exe" "C:\Program Files\Common Files\Adobe\Creative Cloud Libraries\js\server.js"
InitiatingProcessParentFileName: 1) CCXProcess.exe (SHA1: d94828ea51500a104222a54b238bd445b6e3b310) or 2) CCLibrary.exe (SHA1: 8da4fddf04de3501c1a609e43d907f0a15d049a8)
RemoteIP: 49.236.204.101
Adobe CC Versions: 5.4.5.550, 5.5.0.614, 5.5.0.617, 5.6.0.788
Please could you advise if this is expected/legitimate behaviour for your software? Do the supplied hashes match the hashes of your software? Has Adobe been contacted by other companies with similar events? If so, when will a patch be released to mitigate this activity?
1 Correct answer
2
Replies
AdChoices