The Cloud Security Alliance Top Threats Working Group is conducting a survey of global security concerns in cloud computing. This short survey asks you to rate the relevance of 13 shortlisted security concerns in cloud computing. In addition, you will be given an opportunity to comment on and provide anecdotes for these security concerns. The output of this survey will be a report that aims to provide organizations with an up-to-date, expert informed understanding of cloud security concerns in order to make educated risk-management decisions regarding cloud adoption strategies.
As an incentive, 10 respondents will be selected at random at the end of the survey and offered a Certificate of Cloud Security Knowledge (CCSK) exam token ($345 value). This token will allow the user to take the CCSK exam on https://ccsk.cloudsecurityalliance.org/ and earn their certificate. A link to the study material will be included.
We look forward to your participation. Respondents can only take the survey once but feel free to invite your qualified friends and colleagues. Thanks in advance for your time and contribution.
The evolution of the enterprise has made it such that the reliance of IT is very important to meeting customers’ dynamic needs. Offering the best strategic solution to customer needs may not necessarily mean installing the latest IT products. Instead it may require combining several factors (risk, security, support, maintenance, cost, etc.) to deliver that solution.
The financial sector is influenced heavily by public perception, firm regulations and tight competition, and is also a critical part of every society. Governance plays an important role in this sector to ensure various stakeholders are protected and satisfied. To ensure value, financial institutions seek to gain competitive advantage through differential strategies because the product (currency) is the same. It is important to note that the satisfaction of the shareholders/owners cannot be achieved in isolation; hence, customers have the real power and effectively meeting their needs can bring about the failure or the success of the organisation.
The role of governance of enterprise IT (GEIT) becomes very important when organisational complexity exists and business uses IT not only for support and enablement, but also to gain a clear competitive advantage over rivals by introducing innovation as part of its strategy. One example of this can be seen in a financial institution using a mixture of radical and incremental innovation while encouraging an entrepreneurial mindset in its work culture.
How do you govern this type of organisation to ensure proper regulations are enforced, and at the same time encourage new ideas (which means new risk) while utilizing technology to deliver these products/services, ahead of your competition? The foundational areas of stability, risk, security and public perception have been joined with speed, agility, first to market and flexibility, creating a new landscape for developing enterprise strategy.
Aligning governance, strategy, innovation and IT is a complicated task since the synergy, environment and structure may or may not exist in order to get the right results. The study of the five domains of GEIT which include Framework for the Governance of Enterprise IT, Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization can help in achieving this challenge by offering a framework that can be tailored and also a mindset to analyse these variables.
Ammett Williams, CCIE Telecommunication Team leader at First Citizens, TT
In recent weeks, we have noticed changes in the TeslaCrypt ransomware malware family’s code base. OpenDNS recently discussed some of these changes regarding the encryption techniques in this newest variant. While reverse engineering the underlying code of these samples we discovered that the author of of TeslaCrypt borrowed code from the Carberp malware family in order to obfuscate strings and dynamically load libraries/functions.
TeslaCrypt was discovered in February 2015, and has been actively developed since its initial release. The TeslaCrypt family is known as ransomware—a type of malware that encrypts a victim’s files then demands a form of payment in exchange for the decryption key. Ransomware has been very lucrative for attackers, and an ongoing challenge for consumers and businesses alike. Malware like TeslaCrypt is often delivered via spam emails or exploit kits. A recenttakedown of multiple domains used by the popular Angler exploit kit estimated that as much as $60 million in revenue was generated annually by ransomware alone.
TeslaCrypt has historically been known to borrow code or other features from various ransomware families. Older variants used a notification screen that looked nearly identical to the one used by the CryptoLocker malware family.
Figure 1. Locker notification for old variants of TeslaCrypt
The latest versions of TeslaCrypt attempt to mimic the popular CryptoWall malware family.
Figure 2. Locker notification for new variants of TeslaCrypt
As we can see from the figures, the author of TeslaCrypt has no reservations about re-using code where possible. Starting in late September, the newest version of TeslaCrypt was introduced and it included multiple updates. One of these updates involved modifications to how the victims’ files were encrypted, which was discussed by OpenDNS in their blog post.
However, when looking at the underlying code, a number of other changes caught our eye, including string obfuscation previously unseen in TelsaCrypt.
Figure 3. TeslaCrypt string obfuscation
Upon further review, we discovered that these strings are encrypted using the RC2 cryptographic algorithm, using a static key of ‘sdflk35jghs’. The initialization vector is generated by removing the first and last 4 characters, not counting the base64 padding characters. This process is shown below.
Figure 4. TeslaCrypt IV and data parsing
While examining the Carberp source code, we discovered this exact code. Carberp was a popular banking Trojan discovered in late 2011. Its main functionality included stealing online banking credentials, keystroke logging, and capturing data from various applications.
In mid-2013, the source code to Carberp was posted for sale on an underground Russian forum. A number of weeks following this posting, the source code was leaked to the general public. This allowed any individual to modify or copy the source code to this banking Trojan, which the author of TeslaCrypt appears to have done.
Figure 5. Carberp string parsing prior to decryption
Looking further into the underlying code of TeslaCrypt, we found that the author has also implemented dynamic library and function loading.
Figure 6. Dynamic function loading in TeslaCrypt
Sure enough, this code was also copied from Carberp’s source code. Hashes used to identify function are generated via the following algorithm:
Figure 7. Hashing algorithm
In order to assist analysts and reverse-engineers working on the latest version of TeslaCrypt, please refer to the script shown in Figure 8 that will attempt to automatically convert API hashes to their actual function names.
Figure 8. Results of running IDAPython script
Overall, it appears that the author of TeslaCrypt has continued their history of re-using code and functionality from other malware families. By using the string obfuscation and dynamic API loading functionality from Carberp, it makes reverse-engineering and simple static analysis slightly more difficult. However, as the Carberp source code is so widely known by the security community, the author may have inadvertently made detection of these samples easier. This is the tradeoff of re-using code from other malware families. It’s certainly quicker and easier to do, but may result in easier detection by security software.
All new variants of the TeslaCrypt malware family samples are properly classified as malicious by Palo Alto Networks WildFire. AutoFocus users can find more information on samples and indicators related to this attack by viewing the TeslaCrypt tag.
Bring threat intelligence into your own service or application with the AutoFocus API, which lets you search through get details on samples, sessions, tags, and more through a secure, RESTful API.
Send Us Feedback!
Have you used AutoFocus? Share your experience with AutoFocus by leaving a comment below or email us at documentation@paloaltonetworks.com! We could feature your use case in an upcoming version of the AutoFocus documentation!
