First results from The Standoff: red teams hacked the airport, the municipal system for fines and damages, and the petrochemical plant
11/14/2020
The first two days of the event also included over 30 presentations given by information security experts, which were viewed by over 13,000 participants around the globe.
Is it possible to trigger a blackout in a megapolis the size of Moscow or New York? Many researchers in information security believe they could do it in just a few days. On The Standoff cyber-range, those claims can be verified. In the course of the six-day cybersecurity marathon, hackers search for weaknesses in the power grid of a digital mock-city, do their best to derail trains, and see if they can successfully disrupt the operations of an airport.
A third of the event has already gone by. The attackers have managed to compromise the oil field and petrochemical plant, as well as the IT systems of the airport and business center. Meanwhile, information security experts have given a multitude of fascinating presentations to eager viewers. We've learned how to hack a smartphone with a lighter, install video games on a point-of-sale terminal, and make an AI confuse a car with an ostrich. Keep reading to learn more!
Online apocalypse
A mere 2 hours and 50 minutes after the beginning of the confrontation, team back2oaz already managed to penetrate the network of the Nuft petrochemical plant (it attracted 60% of all attacks on the first day). back2oaz also succeeded in gaining access to the computer of the director of the Oil Department and stole files containing information on tenders.
Another battalion of keyboard-armed gladiators, DeteAct, managed to disrupt the ticket sales system of the mock-city's airport. Now passengers are unable to buy tickets online. The attackers also caused failures in the airport's check-in system, and passengers who have already purchased a ticket have found themselves unable to check in for their flights from their personal accounts—even when using the form of an airport employee. On Thursday night, the city's business center was attacked twice. Teams SpbCTF and n0x broke into the city portal database within two hours of each other and deleted information on fines and damages owed by citizens.
"Classical CTFs can't solve the big problems that we face in everyday life—they are focused entirely on theory. The Standoff is an opportunity to examine the real issues that face us—things like failures of medical equipment or problems at oil loading stations, which, of course, are much closer to reality." — Hack in the Box CEO Dhillon Andrew Kannabhiran.
"The Standoff isn't just a platform for cybersecurity training— it's an environment that models key IT processes. Organizations can "bring" part of their IT infrastructure to the platform, call in information security experts from all over the world, and those experts will help identify and fix the systems' vulnerabilities before they "burst" into real life and ravage a business." — Andrew Bershadsky, director of the Positive Technologies Competency Center.
Hardcore: Snake on a POS terminal and how to hack a smartphone with a lighter
Generally speaking, the devices around us run on old and insecure operating systems. This is certainly true of POS terminals, which we use to make purchases in stores every day. Independent researcher Danila Parnishchev spoke about the security shortcomings of Verifone equipment that uses the Verix OS. Parnishchev connected to a POS terminal via an HDMI cable then used an exploit to load on a game application, allowing him to play Snake on the terminal. If a hacker wished, they could load malware onto the terminal instead of an innocent video game classic.
The topic of hardware vulnerabilities was continued by Indian IoT security researcher Arun Magesh, who spoke about the technique of electromagnetic fault injection for hacking the Android MDM system. MDM policy imposes restrictions on the developer mode; factory settings are blocked, and Recovery and Bootloader modes are also all blocked. Using a $1.50 gas lighter, Magesh induced various electromagnetic effects (including Jacob's ladder and electromagnetic jamming), then targeted the memory of his test device. After several attempts, Magesh caused the kernel to crash and was able to enter modes that allowed him to install his own firmware and read the contents of the eMMC.
Another notable presentation was given by ESET Senior Malware Researcher Robert Lipovsky, one of the authors of the disastrous Kr00k vulnerability, which has affected billions of Wi-Fi–enabled devices. His research began with the discovery that some versions of popular Amazon Echo and Kindle devices were vulnerable to the key reinstallation attack (KRACK). However, it later became clear that the problem was not in the software of the devices, but in the hardware of the Wi-Fi chipsets themselves. The problem, as it turns out, reaches far beyond the devices with which Lipovsky initially began his investigation: the vulnerability affects over a billion devices from Apple, Samsung, and other companies that use the vulnerable chipsets.
Big-data threats were also a popular topic of discussion. Ilya Shumailov, a PhD candidate at the University of Cambridge, spoke about attacks on neural networks. Neural networks require a large amount of energy to work—a fact that can be exploited and utilized. Shumailov explained how certain malicious input parameters (called sponges) can be created and used to sharply increase energy consumption. Ilya demonstrated the shocking vulnerability of modern machine learning systems to such attacks.
Ever since the advent of hacking, hackers have been searching for ways to go unnoticed by machines. Hyrum Anderson, principal architect of Azure Trustworthy Machine Learning at Microsoft, spoke about evasion attacks on computer vision systems, as well as their evolution. Despite the fact that the basic principles of such attacks have remained unchanged since their inception, the tactics involved have evolved from methods of manual circumvention to automated approaches in just the past year. Machine learning models have blind spots that can be exploited: for example, hackers can use exploits to make an AI confuse an image of a car with an ostrich.
Advertising networks are also popular targets for hackers. Security Scorecard researchers Doina Cosovan and Catalin Valeriu Lita presented an analysis of the security risks that may arise when advertising traffic is redirected through a "funnel." Experts have shown that cybercriminals can easily penetrate mobile advertising infrastructure to conduct attacks on users targeted by certain advertisers. For example, hackers can use malicious SDKs to collect data on mobile device users, then sell those data on the black market.
The impact of COVID-19 on business and information security, tips for the IS community, and how to improve IS processes
Artyom Sinitsyn, Microsoft head of information security programs in Central and Eastern Europe, participated in the press briefing "Cybersecurity training and the digital world." He noted that one important consequence of the COVID-19 pandemic for business has been a significant accelerations of business processes:
"In just two months, organizations were forced to undergo a transformation of their digital technologies that would have otherwise taken two years. The speed of this transformation will inevitably have implications for security. However, already attackers have been able to exploit the fear and uncertainty that current events have caused among their victims. The most significant shifts in the development of the pandemic have coincided with a significant increase in the number of cyberattacks. It's hard not to be awed by the speed with which attackers respond to the news cycle: while we're still reading a headline, hackers are already exploiting the topic in real attacks around the world. Phishing attacks have become much more frequent—the focus has shifted to them."
Alexey Novikov, director of the Positive Technologies Expert Security Center (PT ESC), confirmed that the number of cyber incidents is growing from year to year, and that the trend is not likely to take a downward turn any time soon. Novikov states that "the number of incidents is growing and growing along with the development of digitalization. Considering this trend, it is essential that information security keeps up with development in IT."
"Currently, according to our best estimates, attackers can externally break into the systems of 97% of companies within 4 days. Sometimes, all they need is 30 minutes. That gives you a sense of the speed with which IT and IS services have to detect and respond to attackers," Novikov added.
"Intimidation tactics don't work anymore. Instead, we need to raise our IS standards and give users the opportunity to control their own security," says Net-Square CEO Saumil Shah. Shah noted that there are already examples of this approach: WhatsApp does not use passwords, and Gmail provides users with full account authorization logs. This approach rather resembles the issuing of bank statement—the bank informs its client of all the transactions on his or her account, then it is the client's responsibility to identify suspicious transactions and take appropriate measures. Through this process, trust is built.
Clint Gibler, PhD in computer science at the University of California, Davis, heads the security research group for the startup r2c. He presented a fully fleshed-out plan for the step-by-step improvement of corporate information security processes. Gibler believes that automated tools can be trusted to handle simple errors; many low- and medium-risk vulnerabilities can be addressed using bug bounty programs; complex problems are best addressed via pentesting; operability monitoring can help identify bugs that are more difficult to find.
Big companies like Microsoft and Starbucks have directed their attention to the huge number of forgotten sites that can be used to conduct attacks. The situation with "hanging" DNS records on the Internet was reviewed by leading Microsoft security engineer Andrey Belenko, who helps ensure the security of Microsoft 365 products and Microsoft Teams client applications. It is important to remember that domains can have multiple subdomains that cross-reference each other. As soon as an organization no longer needs a certain domain, other individuals can take it over and exploit the trust of users who visit connected resources. Organizational red teams must be sure to maintain a high level of asset transparency and remember that using more than one cloud provider greatly increases the likelihood of confusion and resulting problems. Andrey Belenko underscored the seriousness of this problem, which was earlier investigated by specialists at Starbucks.
The driving force behind information security is often the field's thriving community of independently operating professionals. Anton Kutepov, senior specialist of the Positive Technologies Expert Services and Development Department, spoke about the Open Security Collaboration Development (OSCD) initiative. He shared a story about a group of IS enthusiasts who decided to organize two-week sprints to write rules for the Sigma project. The Sigma project aims to develop a unified format for describing the rules for SIEM systems, and is supported by over 140 active participants. All results are available for download. "The OSCD initiative shows that if we each make a small contribution, we can build a safer world," concluded Anton.
Boris Savkov, one of the founders of the RUSCADASEC group, noted that community can be an important source of knowledge to fill in the gaps of what's offered at colleges and universities. When formal education falls short, communities of cybersecurity enthusiasts can come to the rescue. Alexey Sintsov, founder of the hacker community Defcon Russia, stressed the importance of user activity and lively interaction within communities, which affects both the connections between users and the experience that they gain.
In an address to newcomers in the IS community, Hack In the Box CEO Dhillon Andrew Kannabhiran stressed that a hacker must never give up and must be ready to go to the ends of the earth to find the solution to a problem. Otherwise, he continued, a hacker can never reach farther than the madding crowd, which is always willing to give up a difficult task in favor of a simple one with promise of a quick reward. "Hacking is a mindset, a special approach, a spiritual state—the ability to move forward patiently and yet never cease to learn—be it how to use a particular tool or technique, how to work with an SOC, or something else," he said.
Another topic of discussion was the low standards of information security at most large companies. During the round table "Choosing a commercial SOC 2.0: SOC it to 'em," Anton Yudakov, operational director of Rostelecom Solar's Solar JSOC Center for Cyberattack Monitoring and Response, noted that if IT specialists and other employees responsible for a company's cybersecurity are asked how many Windows hosts their company has, the answers vary greatly. No one really knows for sure. "The separation of responsibility into isolated zones is a scary thing," agreed Alexey Novikov, director of the Positive Technologies Expert Security Center. "We have seen cases in which Marketing Departments hire contractors to build sites using popular engines. These resources, which we often encounter in our investigations, are then forgotten, and over time they come to teem with vulnerabilities. And that's just one possible blind spot."
Alexey Malnev, head of the Jet CSIRT Center for Monitoring and Incident Response, noted that SOCs can be compared to factories in which the conveyor belt is the central element. Workflow automation in SOCs can be implemented using IRP and SOAR platforms, and the sources of SOC information can be SIEM systems, threat intelligence, threat hunting, and OSINT tools. The conversation also touched on the trend of moving corporate segments to the cloud. Alexey Novikov noted that, when selecting a cloud service, companies need to take into account the provider's information security capabilities and their readiness to connect security and monitoring tools in the exact configuration requested by the company.
Alexey Novikov, director of the Positive Technologies Expert Security Center (PT ESC), presented the current results of the Standoff from the point of view of an SOC. During the first day of the confrontation, the blue teams succeeded in detecting 28 security incidents. Most of these detections were by blue team members from the offices of Tube, Heavy Ship Logistics, and 25 Hours. Every third incident detected was an attack on web applications, and every fifth was a successful brute-force attempt. We also saw the first results from the Business Center. It took the CT&MM blue team four hours to conduct their incident investigation and send a report to the jury. As part of the bug bounty, two-thirds of all vulnerabilities detected were found in the offices of Nuft and Big Bro Group. Meanwhile, the attacking teams succeeded in triggering four business risks in the city's infrastructure: these affected the oil field and petrochemical plant and the IT systems of the airport and business center.
The Standoff cyber-battle will reach its end on November 17. Until then, every day will be filled with engaging presentations given by information security experts. Tune in and participate at standoff365.com or via Twitter, LinkedIn, Facebook, and YouTube. Come and join in on the fun!