Day: April 29, 2016

Posted on

Cloud Security Alliance Announces World Class Speaker Line Up for Second Annual Federal Summit

Program to Feature Insights and Perspectives into the Federal Government Cloud Strategy and Use of Cloud Services along with Best Practices to Ensure Cloud Security in Regulatory Environments

Washington, DC – April 28, 2016 – The Cloud Security Alliance (CSA) today announced a world-class line up of speakers and presentations for its second annual Cloud Security Alliance Federal Summit, a one day free-for-government event taking place at the Ronald Reagan Building and International Trade Center. The event, scheduled to take place on May 12, is expected to draw 250 information security professionals from civilian and defense agencies to exchange experiences, lessons learned and best practices for securely implementing cloud computing to support agency missions.

“Agencies today are being tasked with new requirements and mandates when it comes to deploying cloud services. It is now more important than ever to provide an educational platform where these information security professionals can understand and prepare for the future direction of cloud security requirements in order to effectively leverage cloud-based services,” said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. “This year’s event was carefully built on the success of last year’s event where, for the first time, attendees gained unique expert access and insight that they could readily apply within their own environment. We look forward to doing that once again this year, with even greater content and use cases.”

The program will feature presentations from some of the most prominent names and organizations in the federal space including an opening keynote presentation by:

Tony Scott, U.S. Chief Information Officer, Office of Management and Budget, Executive Office of the President (pending agency approval).

Additional speakers and panelists include:

  • Emery Csulak, Chief Information Security Officer, Centers for Medicare & Medicaid Services, U.S. Department of Health and Human Services
  • Joe Paiva, Chief Information Officer, International Trade Administration
  • Jim Tunnessen, Chief Technology Officer, Food Safety and Inspection Service, U.S. Department of Agriculture
  • Noah Kunin, Director of Delivery Architecture and Infrastructure Services, 18F, U.S. General Services Administration
  • Matt Goodrich, FedRAMP Director, U.S. General Services Administration
  • John Hale, ‎Chief, Enterprise Applications, Defense Information Systems Agency

In addition to the one-day event, the CSA will be holding a CCSK (Certificate of Cloud Security Knowledge) Foundation Training at the Carr Workplaces at The Willard in Washington, D.C. Taking place on May 11 from 9:00 a.m. to 5:00 p.m., the CCSK Foundation course is based on V3.0 of the CCSK exam and the CSA Security Guidance for Critical Areas of Cloud Computing V3.0. The Cloud Computing Security Knowledge-Foundation class provides attendees with a comprehensive one day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance CCSK v3.0 certificate exam. This is a fee-based workshop. For more information on this CCSK Foundation Training event, please visit: www.fedsummits.com/csa/ccsk.

WHAT Cloud Security Alliance Federal Summit 2016
WHEN Wednesday, May 11, 2016
7:30 am – 8:00 am: Doors Open, Breakfast and Opening of Cloud Security Exhibition Hall
8:00 am – 4:30 pm: Conference Program
4:00 pm – 6:00 pm: Cocktail Reception
WHERE Ronald Reagan Building and International Trade Center
1300 Pennsylvania Ave. NW
Washington, DC
Room: Atrium Hall
ATTENDEE REGISTRATION http://www.fedsummits.com/csa/
MEDIA REGISTRATION Email kari@zagcommunications.com

Members of the media and analyst community interested in attending the event should contactkari@zagcommunications.com for more information, to receive press credentials and to schedule interviews with CSA leadership and conference speakers.

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

[Cloud Security Alliance Research News]

Posted on

Afraidgate: Major Exploit Kit Campaign Swaps Locky Ransomware for CryptXXX

In mid-April 2016, a campaign using Nuclear Exploit Kit (EK) to distribute Locky ransomware switched to using the Angler EK to install CryptXXX ransomware. This campaign uses gates registered through FreeDNS at afraid.org. We are calling this the Afraidgate campaign. Although we continue to see Locky distributed through malicious spam, we have not noticed Locky from EK traffic since mid-April.

An Evolving Campaign

In March 2016, we observed Nuclear EK from the Afraidgate campaign spreading Locky ransomware. A consistent gate pattern in the infection chain pointed to the same campaign using Neutrino EK the previous month. Now this campaign points to Angler EK. Also with the change in EKs, the malware has switched from Locky to CryptXXX. Both of these malware families employ the ransomware business model, in which they encrypt a user’s files and demand a ransom in return for the decryption keys. The following chart illustrates the changes in this particular campaign:

Figure 1: Changes in EK and payload from the Afraidgate campaign.

The Angler/Bedep/CryptXXX Combo

In mid-April 2016, the pseudo-Darkleech campaign started delivering CryptXXX through Bedep from Angler EK. The same Angler EK/Bedep/CryptXXX combination has spread to the Afraidgate campaign, replacing Nuclear EK traffic used to deliver Locky.

Angler EK is a bit more advanced than Nuclear EK. Angler uses new exploits, usually before these exploits have made their way into Nuclear EK. When sending Bedep, Angler uses a“fileless” infection technique originally implemented in 2014. Bedep is installed without creating any files because it is loaded directly into memory by the exploit shellcode.

Bedep is a file downloader that infects the host with other malware. In addition to CryptXXX, Bedep also installs click-fraud malware. Recent updates to Bedep make it harder to use virtual machines (VMs) to investigate this malware. Bedep acts differently if it detects a VM. It will not download CryptXXX, and post-infection click-fraud traffic is different than seen from a normal physical host.

Figure 2: VM infection shows different post-infection traffic than the other examples here.

Three examples of Angler/Bedep/CryptXXX infection traffic from the Afraidgate campaign are shown below.

Figure 3: Gate on 185.118.164.42 leads to Angler EK/Bedep/CryptXXX on Friday 2016-04-22.

Figure 4: Similar gate on 185.118.164.42 leads to more Angler EK traffic on Monday 2016-04-25.

Figure 5: Similar gate on 185.118.164.42 leads to more Angler EK on Tuesday 2016-04-26.

Conclusion

CryptXXX is now the default ransomware deployed in at least two major EK campaigns and should be considered a growing cybersecurity threat.

Domains, IP addresses, and other indicators associated with Angler EK, Bedep, and CryptXXX are constantly changing. We continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.

WildFire continues to detect submitted .dll samples of CryptXXX ransomware, and AutoFocus identifies this threat under the Unit 42 CryptXXX tag.

Indicators of Compromise

As of Tuesday 2016-04-26, we have seen the following indicators of compromise associated with this campaign:

Gates used in this campaign:

  • 185.118.164.42 port 80 – host.vivialvarez.com[.]ar – GET /widget.js
  • 185.118.164.42 port 80 – kw.projetoraizes.com[.]br – GET /js/script.js
  • 185.118.164.42 port 80 – net.jacquieleebrasil.com[.]br – GET /js/script.js

Angler EK:

  • 85.25.160.124 port 80 – bintiye.helpthevets[.]org
  • 85.25.160.124 port 80 – mcimaildmz.dinnerplate.co[.]uk
  • 192.169.189.167 port 80 – candidulumbestuurlijk.newlandsierrarealestate[.]com
  • 192.169.190.97 port 80 – frageboegen-plletyksin.breastcanceroutreach[.]com
  • 192.169.190.97 port 80 – reikleivn-azarashi.orlandohomesbydevito[.]com
  • 209.126.120.8 port 80 – litigators.esteroscreen[.]com

Bedep post-infection traffic:

  • 104.193.252.241 port 80 – qrwzoxcjatynejejsz[.]com
  • 95.211.205.228 port 80 – yfczmludodohkdqnij[.]com (using a VM)

Click-fraud traffic:

  • 5.199.141.203 port 80 – ranetardinghap[.]com
  • 93.190.141.27 port 80 – cetinhechinhis[.]com
  • 95.211.205.218 port 80 – tedgeroatref[.]com
  • 104.193.252.236 port 80 – rerobloketbo[.]com
  • 162.244.34.11 port 80 – tonthishessici[.]com
  • 207.182.148.92 port 80 – allofuslikesforums[.]com
  • 85.25.79.211 port 80 – oqpwldjc.mjobrkn3[.]eu (using a VM)

CryptXXX post-infection traffic:

  • 217.23.6.40 port 443 (custom encoding)

[Palo Alto Networks Research Center]

English
English
Exit mobile version