" alt="" />
ISOI XX Agenda: 26-27 April 2018 Victoria, B.C. Canada Hosted by: HYAS Security

Wednesday evening pub meet-up 18:00 onwards:
http://strathconahotel.com/venue/games-room/

ISOI XX Thursday, 26 April 2018

08:00 - 09:00: Breakfast

09:00 - 09:15: Greetings, Welcome to ISOI XX! - Fergie and Chris:
Welcome, logistics, etc.

09:15 - 10:00: Nate Warfield (Microsoft):

Title: All Your Cloud Are Belong To Us   Hunting Compromise in Azure

Description: MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What
do they all have in common? Thousands of them were pwned. In Azure. In
2017.

Attackers have shifted tactics, incorporated nation-state leaked tools
and are leveraging ransomware to monetize their attacks. Cloud networks
are prime targets; the DMZ is gone, the firewall doesn't exist and users
may not realize they've exposed insecure services to the Internet until
it's too late.

In this talk I'll discuss hunting, finding and remediating compromised
systems in Azure - a non-trivial task with 1.59million exposed hosts and
counting. Remediating system compromise is only the first stage, so I ll
also cover how we applied the lessons learned to proactively secure
Azure Marketplace.

Finally, I will present research I've done into the default security
configuration of Azure Marketplace images and present a call to action
for all cloud providers to better audit the default security of their
offerings.

10:00 - 10:45: Mike Schiffman(Farsight Security):

Title: Real-time DNS-based brand protection

Description: Internet bad actors have long been known to register
look-alike domains and stand up phishing sites and create spam campaigns
in order to hoodwink users into revealing personal information including
login credentials, credit card numbers and social security numbers.
Detecting and combating criminal activity related to look-alike domains
becomes a much more difficult problem when you start adding
International Domain Names (IDNs) into that mix.  This talk will detail
work that has been used to detect a variety of look-alike domains
(including those in the IDN space) via various matching algorithms that
look for similar looking and similar sounding phonetic words (in
English).  Details of a few real world examples of detected live
phishing sites utilizing look-alike IDNs will be shown along with action
for responsible disclosure and overall incident response.

10:45 - 11:15: Break

11:15 - 12:00 Thiago Musa (Trustwave)

Title: What the Hack? Cybercrime in Latin America

Description: With 33 countries, 13 other territories and a total
population of over 670+ Million people, the LATAM region is estimated to
reach 375+ Million connected users by the end of 2018. But
unfortunately, as we have seen in the field, there's a long road ahead
for the region to become adequately prepared for current threats. In
fact, LATAM has become one of the favorite targets for cybercriminals
given the lack of appropriate legislation in most countries and high
profit margins due to minimal security practices and basic public
awareness around evolving security issues. Many recent investigations
and penetration tests we have performed in major institutions from the
private and public sector and thorough security research, helped us form
several observations about the current threat landscape in the LATAM
region. In this presentation, we will review several channels used by
cybercriminals, critical threats we have identified, and highlight
recent real-case examples. In addition, we'll provide special focus on
ATM security and highlight recent vulnerabilities we have discovered and
researched as ATM heists continue to grow and flourish in LATAM.

12:00 - 13:00: Lunch

13:00 - 13:45: Chris Davis (HYAS: Host Speaker Slot):

Title: Rocking the Kasbah

Description: A multi-month investigation into a directed and sustained
attack against France's national infrastructure from possibly
politically motivated Moroccans.

We will present the results of an investigation, network indicators and
other IoC's related to the breaches of France's nuclear power grid, rail
system, road system, banking system, hospital system, defense
contractors, and many more. Perpetrated by a very small group of
Moroccan actors initially leveraging VB Script sourced from an anti-west
Saudi based actor.


13:45 - 14:15: Jérôme Segura (MalwareBytes):

Title: The Partnerstroka TSS Campaign

Dscription: With the decline in drive-by downloads and exploit kits in
particular, threat actors are increasingly using social engineering
techniques to lure new victims. Tech support scams are one such example
that is generating a lot of revenue not only for scammers operating from
boiler rooms often out of India, but also for the traffic providers that
drive visitors to browser locker pages. The latter are experts in
malvertising and perhaps surprisingly, include Russian threat actors. In
one campaign we have been tracking - which we dubbed Partnerstroka - we
expose the dozens of registrant emails, Google Analytics IDs and domain
names (exceeding 10K). We also share information about a tracking API
that allows us to send a query and get the newest domain being used as
browlock.

14:15 - 14:45: Break

14:45 - 15:30: Francis Turner (ThreatStop):

Title: Recent Fluxxy Changes and Implications for Malware Using It

Description: Although Fluxxy is still a very large multilevel botnet,
recent research indicates that the owners have partitioned the network
by customer so that for a particular piece of malware the DNS service
layer and the hosts that are the A record responses are a lot smaller at
any one time. As a result it now appears to be possible to interdict
particular sorts of malware, such as Ursnif/Gozi, that use Fluxxy for
their C2 infrastructure

15:30 - 16:15: Andrew Hay (LEO Security):

Title: "I" Before "R" Except After  "IOC"

Description: Just because the security industry touts indicators of
compromise (IOCs) as much needed intelligence in the war on attackers,
the fact is that not every IOC is valuable enough to trigger an incident
response (IR) activity. All too often our provided indicators contain
information of varying quality including expired attribution, dubious
origin, and incomplete details.

So how many IOCs are needed before you can confidently declare an
incident? Using actual investigations and research, this session will
help attendees better understand the true value of an individual IOC,
how to quantify and utilize your collected indicators, and what
constitutes an actual incident.

After completing this session, the learner will: - Know to quickly
determine the value of an IOC, - Understand when more information is
needed (and from what source), and - Make intelligent decisions on
whether or not an incident should be declared

16:15 - 17:00: Rod Rasmussen (ICANN SSAC):

Working Title: Update on ICANN SSAAC (also hopefully Rod will discuss
the current situation with WHOIS and GDPR)


19:00: ISOI Fun Night out: Swans Brew Pub
https://swanshotel.com/brew-pub/brew-pub-home


Friday, 27 April 2018

08:00 - 09:00: Breakfast

09:00 - 09:45: Lord Remorin (Trend Micro)

Title: Tracking Trends in Business Email Compromise (BEC) Schemes

Description: In May, 2017, the Federal Bureau of Investigation (FBI)
released a public service announcement stating that Business Email
Compromise (BEC) attacks have grown into a US$5.3 billion industry. By
2018, we predict that the number will exceed $9 billion. This growing
popularity of BEC among cybercriminals can be attributed to its relative
simplicity-it requires little in the way of special tools or technical
knowledge to pull off, instead requiring an understanding of human
psychology and knowledge of how specific organizations work.

09:45 - 10:30: Jean-Ian Boutin and Matthieu Faou (ESet)

Title: Investigating a snake disguised as a mosquito to bit diplomats in
eastern Europe

Abstract: For about two years, we are actively tracking Turla
activities. Turla, also known as Snake, is an espionage group known for
targeting officials, including diplomats and militaries, all around the
world.

A few months ago, we identified a new campaign targeting MFAs and
embassies in Eastern Europe using fake flash installers *apparently*
downloaded from the Adobe's website. Based on the techniques used and
the similarities in the code of the malware, we believe this campaign
was effectively run by Turla.

The usage of fake Flash installers to trick the user into installing a
malware is a typical TTP of many threat actors. However, this time,
Turla operators went really further into tricking the user: we found
evidence that, from the endpoint perspective, the malware was downloaded
over HTTP from the legitimate Adobe domain used to distribute Flash.
Also, the IP addresses belong to Akamai, the CDN Adobe uses, and are
used to distribute legitimate Flash installers. Thus, it is not a simple
DNS hijacking.

In this presentation we will discuss the different possibilities that
could lead to this kind of behavior. After some discussions with the
Adobe security team who confirm they were not breached, we quickly
discarded the possibility of a compromise of their website. Thus, the
attacks range from a local MitM attack to the collusion with an ISP (or
its compromise). We will also compare these possibilities with other
attacks we have already seen in the wild. For instance, Gamma Group, the
company selling the FinFisher spyware, has a product that ISPs can use
to inject malware in the network traffic. The NSA has also such
capabilities with their attack suite called Quantum that is able to
perform Man-on-the-Side attack. However, to our knowledge, it is the
first time Turla is spotted using this kind of technique.

We hope this will start further discussions for a better understanding
and better mitigations of similar campaigns.

Finally, we will detail the backdoors used in this campaign which
includes a Win32 backdoor and a JScript backdoor. We will also share
interesting Indicators of Compromise that can be used during an incident
response process.

10:30 - 11:00: Break

11:00 - 11:45: John Bambenek (ThreatStop)

Title: Cryptocurrency Scams: What They Teach us about our Blindside in
Mobile Malware

Description: We all know there has been a huge increase in the value of
Bitcoin and cryptocurrency generally. There has always been scams and
direct theft in the cryptocurrency space, but it has increased greatly
as values soared. This talk will cover several cryptocurrency scam
campaigns using the mobile platform that have not been adequately
addressed by machine learning and other techniques companies have
deployed in the various play stores. I'll cover what we can do to better
protect the mobile application ecosystem.

12:00 - 13:00: Lunch

13:00 - 13:45: Paul Melson(Target)

Title: Tracking Script Kiddies & APTs With Beer Money

Description: In May 2017 I bought a Pastebin Pro subscription on sale
and started scraping Pastebin looking for malicious binaries.
Approximately 80% of what I ve collected over the last 9 months is
commodity malware. The other 20% is more interesting. I d like to tell
both stories; one about automating analysis and collecting intel on
infrastructure, and one about a few of the unique and interesting things
that I found by searching for a handful of encoding and obfuscation
techniques.  I will open source the scraper and back end processing code
in conjunction with the talk.

13:45 - 14:15: Tim April (Akamai)

Title: Overview of the WireX botnet

Description: In August of 2017, an Android based botnet dubbed WireX
popped up and started attacking all sorts of sites, mostly at layer 7.
Akamai noticed the attacks and worked with others in the industry to
identify the malware, track the attacks and then to ultimately remove it
from the infected devices. This talk will go over the details of the
botnet as well as some lessons learned about collaborating on public
work that involves multiple companies including competitors.

14:15 - 14:45: Break

14:45 - 15:30: Pierre-Marc Bureau(Google)

Title: Safe Browsing

Description: This presentation provides an overview of the work done by
the  Safe Browsing team to protect users from malicious downloads.

We discuss some of the most prevalent threats that are being distributed
through the web as well as common evasion techniques that were recently
observed.

15:30 - 16:15: Kent Bachman(Independent Researcher)

Title: The search for 6Tykz's Mom

Abstract: In this talk there will be nation-state sponsored backdoors, a
keylogger, a CVE, and then 6Tykz's Mom might actually show up. Beyond
that, I won't say much on a public web page (even if not indexed by
search engines), because postponing a malicious developer s face-palm
moment as long as possible is probably a good thing.

16:15 - 17:00 Dave Dittrich (University of Washington):

Description: Overview of Distributed Incident Management System (DIMS)

Abstract: I'm now looking at using the products (which I've continued to
develop on my own after my grant ran out) as a platform for helping
secure the 2018 or 2020 election cycle. It is based around the Trident
portal. I have an almost working end-to-end DevOps CI/CD system using
DigitalOcean droplets that will take Trident source code from GitHub,
compile it with Jenkins, install it with Ansible, into a Trident server.
I have a few more bugs to work out, but I'm getting close.

You can read more about what I'm trying to provide here in the "What's
Not Being Done (Yet)" section):

https://medium.com/@dave.dittrich/securing-the-2020-election-process-
part-2-962ed2aff69e

The code and related documentation is here:

https://github.com/davedittrich/ansible-dims-playbooks.git

Katherine Carpenter and I are using it for a project focused on how to
deal with secrets (passwords, keys, certificates, etc.) in open source
software projects. That's another aspect of the talk.

17:00 - 17:15 Fergie: Closing Comments