News
Open letter to the research community
Dear all, In light of recent events, we have received many words of encouragement in comments on social media, through direct messages, and over the phone. We truly appreciate your support. It means a lot to us. Over the years, we have detected and helped fix a huge number of vulnerabilities in applications and hardware from almost all renowned vendors, such as Cisco, Citrix, Intel, Microsoft, Siemens, and VMware. All this would be impossible without close collaboration with the best infosec researchers, or without vendors’ proactive approach and willingness to cooperate with research centers like ours in fixing all detected vulnerabilities. In line with the responsible disclosure policy, we only announce new vulnerabilities by agreement with vendors, and only after the vendor itself confirms it has fixed the bug and delivered the patch to customers. We believe this approach makes our world better and more secure. To unite our community, we started Positive Hack Days (PHDays), the biggest international security forum in Russia. Cybersecurity specialists and business leaders now have an opportunity to connect with white hats and cybersecurity geeks who know firsthand what a true pentest is and are willing to share their experience. To gain more practical knowledge on how cybercriminals operate in actual life, every year for more than a decade now, we have held The Standoff, an attackers-vs-defenders cyberbattle set in a real-world environment. Only this way, under hyper-realistic conditions, is it possible to learn how infrastructure components can be attacked and how to protect them. The Standoff and PHDays threw their doors open to capture-the-flag (CTF) teams from many countries, including Russia, the U.S., Kazakhstan, India, Japan, and the UAE. Even the world’s top CTF teams, such as PPP, Carnegie Mellon University’s competitive hacking team, have sharpened their skills in cyberexercises at The Standoff cyber-range. Following our principle of open knowledge for the community, we made the event available to everyone. All-comers could watch videos of interesting talks, try their hand at detecting vulnerabilities or warding off a cyberattack, as well as freely monitor the cyberbattle traffic and take this expertise away with them so as to better protect their companies, develop efficient antihacker products, and create securer solutions and components. Openness of information and knowledge, responsible disclosure, and a hands-on approach to cybersecurity are our key values. As such, we cannot but promise hot new infosec research, continued wide support for the community, and a host of new interesting conferences. Thank you very much for your support, and see you all at PHDays 10! Please also go check out our collection of best infosec findings in the past three years, and share it with your colleagues. Denis Baranov, Managing Director, Head of Research Department at Positive Technologies
PHDays 10 contests: hacking ATMs, security systems, and smart contracts; machine learning capabilities and vulnerabilities
As the pandemic recedes, the PHDays forum returns in May in near pre-Covid format: with interesting talks, The Standoff cyberbattle, and, of course, traditional competitions. Anyone can take part in the open contests—all you need is a laptop, curiosity, and enthusiasm. For security reasons, we suggest taking part in all events online. There will be an opportunity to practice attacks on banking systems in the Payment Village, where our experts will explain various payment devices and their vulnerabilities. In the special demo zone, guests will be guided through attack scenarios on ATMs and POS terminals. The Payment Village is supported by IsimpleLab, Azbuka Vkusa, and ARinteg. Blockchain Track will bring together enthusiasts of blockchain security and decentralized finance (DeFi) to talk about how cryptocurrency exchanges get hacked, analyze the subtle vulnerabilities in smart contracts, and share their opinions on security methods. Also up for discussion will be issues of scaling blockchain networks and development prospects for L2 solutions. As a smart contract hacker, you can test your skills in the DeFi Hack online competition (requires a local Ethereum client or browser extension (MetaMask)). The rapid development of artificial intelligence (AI) technologies and their implementation in information security are bringing new opportunities as well as new threats. In the AI Track section, you can listen to reports on the topic of AI in security. We have invited experts to share their experience of applying machine learning (ML) for security, and researchers to tell about the risks of AI-driven solutions. Meanwhile, the AI CTF competition will introduce infosec specialists to various ML techniques in capture-the-flag gaming and demonstrate the vulnerabilities in services that provide it. The tasks of varying complexity will be of interest not only to experienced CTF players, but also to beginners who want to get a handle on the topic. The Network Village will provide a platform for expert presentations on the topic of network security. At the stand, fans of security system robustness testing will be able to take part in the IDS Bypass contest. Participants will try to hack five vulnerable nodes and capture all the flags. The task is complicated by the intrusion detection system (IDS), which monitors traffic and blocks attempts to attack the network. The vulnerable services are selected so as to force competitors to focus on bypassing the IDS. The number of participants in the contests is limited. To register your participation, please fill out the form. Stay tuned for more details about the contests in the near future. Follow our news and train your brain before battle commences! This year, PHDays is co-organized by Innostage, which specializes in multidiscipline IT solutions. The forum's business partners are Rostelecom-Solar, a Russian provider of infosec services and technologies, and MONT, which distributes software for any business. PHDays technological partners are Russian supermarket chain Azbuka Vkusa, e-payment service RBC.money, and remote banking software developer iSimpleLab. Represented at the PHDays exhibition will be Axoft, Crosstech Technologies, ICL, OCS Distribution, R-Vision, Security Vision, and Infosystems Jet. The competition program partner is ARinteg.
Ticket sales for Positive Hack Days 10 open
On May 20–21, Moscow will host the tenth anniversary Positive Hack Days forum. Every year, this event attracts thousands of visitors—for example, last year's PHDays housed more than 8,000 people. This year, the forum organizers have decided to hold the event in a hybrid format: some of you will be able to attend it in person, and some will be able to watch a live online broadcast. You can register and buy a ticket for the two days of the forum right now on the event's website. "This year, we have set ourselves the task of organizing one event in two formats: first, there will be a good old offline get-together with a small number of participants: we are selling only a little more than a hundred tickets for PHDays. And for those who will be with us online, we have planned a large-scale broadcast, which will allow you to see the main halls and backstage of the forum, to feel the effect of total immersion," explains Victoria Alexeeva, Positive Hack Days Producer. Ticket holders will be able to listen to presentations, personally communicate with the conference speakers who will come to Moscow, and try their hand in the traditional competition program. Also, a ticket for the conference gives you the opportunity to visit The Standoff, a cyberbattle which will take place during the Positive Hack Days at the event's venue at the Hyatt Regency Moscow Petrovsky Park Hotel. Read more about what is planned in the program in our previous news. How else you can get to PHDays 10: First, anyone who bought a ticket to the Positive Hack Days planned for 2020 and has not returned it can use it to attend the forum in 2021. Second, as always, one of the ways to participate is to make a presentation. Both recognized experts and novice specialists can present the results of their research. Call For Papers has already started, so make sure you submit your applications until March 28.
Positive Hack Days opens Call for Papers: become a speaker!
Sign up and submit your proposal at cfp.phdays.com by March 28. Make the cut to speak at Positive Hack Days, which celebrates its tenth anniversary this year! The central theme of PHDays 10 is The Origin. Join us in envisioning the future of information security. Doing so means starting with the practical questions and issues of today. Topics this year will include: Vulnerability detection and exploitation Attack prevention and resilience Architectural issues with modern computing systems Incident detection and investigation Threat intelligence and threat hunting OSINT Cybercriminal investigations Real-world experience with building out IT security processes Secure development: serverless and cloud apps, microservice architectures, AI Formal application security models Security risk management for software developers Security of BIOS/UEFI and other firmware Evaluation of information risks for business Identification of pain points in business processes Methods for developing a security strategy If your research focuses on other aspects of information security that you think will be of interest to the audience, we encourage you to apply. How to present You can share your findings in any of the following formats: Talk (50 minutes) Fast Track (15 minutes) Hands-on Lab (up to 4 hours) Options include: Send a video of your talk. After evaluation, the review board will include the video in the forum stream. Speak live from anywhere. We will help to test your connection quality ahead of time. Give your talk at the forum venue in front of a small audience. Due to pandemic-related restrictions, the number of offline visitors will be smaller than in past years. PHDays talks will be broadcast on The Standoff, the same platform we used for the conference and cyberbattle in 2020. The Standoff, as a brand, will be a full-fledged partner of the forum. How to apply If you're interested in speaking, apply at cfp.phdays.com. Name and country of residence of the speaker (speakers) Contact information (email address) Title and brief summary of the talk Biography We encourage sending any abstract, presentation, additional materials, illustrations, or utilities that may help us to evaluate your work. If your research has already been published, specify the relevant conference, journal, or website. If you know about similar works by other researchers, list them and indicate how your approach is different. Please inform us if you can only share some slides but cannot provide the full research paper. You may submit as many proposals as you want. Each proposal will be considered by an international review board of independent researchers and leading IT experts. We look forward to seeing you at Positive Hack Days!
Positive Hack Days 10: The Origin to take place on May 20–21, 2021
The iconic Positive Hack Days forum will open its doors on May 20–21, 2021, at the Hyatt Regency Moscow Petrovsky Park. This year we will not just talk about attacks and defense, we will take on the audacious role of writers of history, describing transformation and the beginning of a new era. The event will be held in a hybrid format: some will be able to attend it in person, and some will be able to watch a live online broadcast. The broadcast will allow you to view the main halls and backstage of the forum from different angles through dozens of cameras and experience total immersion thanks to the filming that is on a par with the TV format. Russian and foreign developers, representatives of governmental authorities, CIOs and CISOs of the largest Russian and international companies, leading experts from banks as well as telecom, oil and gas, industrial, and IT companies are going to speak at PHDays. The program consists of dozens of presentations, workshops, hands-on labs, round tables, and lectures. The forum will traditionally include a large-scale competition program developed by leading cybersecurity experts, based on all the wide experience of conducting PHDays. Contests are an important part of the event: they visualize the infosec threats around us. "We came up with the concept of The Origin last year, but time has shown that it happened a bit prematurely: it should take place right now. And this is associated not only with the post-COVID era and the dramatic increase in the importance of digital technologies, but also with the overdue necessity to reassess the information security model, which will change the established infosec role in business," said Vladimir Zapolyansky, Director for Marketing and Corporate Communications at Positive Technologies. In 2020, The Standoff, the world's largest open cyberbattle, separated from PHDays and became an independent activity. This year, The Standoff will become a full-fledged partner of the forum for the first time. The Standoff cyber-range is a digital replica of a modern metropolis, emulating the real city infrastructure with its industrial and energy complexes, financial system, banks, transport infrastructure, entertainment facilities, and business center. The virtual city will become a battleground for red and blue teams and will clearly demonstrate how important it is for today's businesses to have a risk-oriented information security strategy. The battle will take place on May 17–21, and its results will be given wide publicity within the PHDays framework. "Technologies are not easy to visualize because we can't always show their internals in the form of servers, cables, and light bulbs, and we are working towards the solution," says Vladimir Zapolyansky. "At The Standoff you can clearly convey to any audience the idea of how technology is woven into the modern city and into our lives and how dangerous the consequences of cyberattacks may be. It is a place to try out any hypotheses, a place where anyone can anticipate and avoid catastrophic consequences in real life." "Positive Hack Days reflects the expertise and knowledge content of the IT and IS industries in Russia. Every year, the role of IT in the world is growing, and technology is developing at an incredible pace. That is why we believe that The Origin, the central theme of the event, should be put forward now, in the Year of Science and Technology in Russia," says Victoria Alexeeva, Program Director of Positive Hack Days. See you on May 20 and 21 at PHDays!
EPAM Systems’ Zed Conference Brings Cyber Security to The Agenda through The Standoff Cyber Range
To raise cyber security up the agenda for their event attendees and customers, EPAM Systems’ Zed Conference partnered with The Standoff cyber range to demonstrate the risks and vulnerabilities presented by cyber attacks firsthand. On Tuesday 3rd December Vladimir Zapolyansky, CMO of Positive Technologies, was invited to Zed Conference to summarize the results of The Standoff cyber-range event. Vladimir was joined by Sam Rehman, SVP Chief Information Security Officer at EPAM, and Adam Bishop, Director IT Security at EPAM, to discuss the highlights of The Standoff cyber-range, which took place virtually across three continents on 12-17 November. The Standoff saw 250 cyber security experts compete - as 29 attacking red teams faced off against six defending blue teams in a one-of-a-kind cyber range competition. The full-fidelity cyber-range built for The Standoff contains the same hardware and software as a real city, including an airport, amusement park, gas distribution company, oil company, powerplant and more. The objective is to pursue a new risk-orientated approach to cyber security, uncovering threats in a realistic environment that demonstrate the importance of defense and make security products smarter. Adam Bishop, Director, IT Security at EPAM said: “Security is a major track featured at this year’s EPAM ZED conference. It is important to highlight EPAM’s participation in the Standoff, a unique and rewarding experience for our offensive and defensive teams.” Vladimir Zapolyansky, CMO of Positive Technologies said: “The purpose of The Standoff competition is to raise awareness of the vulnerabilities and security risks that exist in the real world. We have created the most realistic cyber-range environment in the world to replicate potential attack scenarios and educate businesses on how to protect themselves. “The collaboration with Zed Conference brings this one-of-a-kind experience to their audience, helping them to gain a practical understanding of how cyber attacks work. I would like to thank our partners at EPAM who have collaborated with us to make The Standoff a success and helped to promote our new approach to cyber security.” Catch up on the highlights and insights of The Standoff shared at Zed Conference here: .
The Standoff wraps up: only port and railroad unscathed by attacks
Six days of more than 70 talks and roundtables brought over 20,000 visitors By the end of the last day of the battle at The Standoff, attackers had successfully breached the perimeter of all six organizations and gained persistence on corporate networks. But they had a harder time with triggering business risks thanks to the work of experienced defender teams. Systems were taken offline at the airport, amusement park, gas distribution station, oil company, and power plant. The business center and bank were hit as well. While hackers were able to show materials of their choosing on billboards, the port and railroad remained intact. Here we will give our round-up of all the action at The Standoff. Online talks included experts speaking on such topics as gaining physical access to a building, faking a voice in five seconds, recovering ransomed files, intercepting smartphone data on 5G, and much more. Meanwhile, in the cyber-range competition, the winning attacker team was Codeby (27,123 points), followed by back2oaz (24,463 points) and DeteAct (18,508 points). Collectively, the attackers were able to trigger 47 percent of all the risks that had been designed. Of the 24 unique triggered cyber-risks, 2 were novel and unanticipated by the organizers. The jury accepted more than 50 task completion reports from attacker teams. Defender teams were able to detect more than 200 security incidents on their respective infrastructures. Incident detections were highest for the teams IZ:SOC and CT&MM. The teams performed 21 investigations. The average investigation took 11 hours and 50 minutes from start to finish. All of the mock city's companies had to grapple with the aftermath of cyberattacks. Here are some of the most serious cases: At the Nuft petrochemical plant, an accident led to toxic leakage. Attackers were able to gain access to the plant's controls and closed the refrigeration intake, which caused overheating and disrupted the chemical manufacturing process. Soon after, the attackers were able to halt the process entirely. A cyberattack disabled oil extraction equipment, causing production to stop. The attackers also accessed the oil storage controls and disrupted the process for transport of oil to storage tanks. They later were also able to disable the controller responsible for managing petrochemical transport. At the 25 Hours amusement park, the Ferris wheel fell over. A team gained access to the controls and increased the rotation speed to the highest value, causing the Ferris wheel to collapse. They finished by disabling the Ferris wheel's controller and turning off lighting to prevent visitors from leaving. Bank attacks enabled theft of funds from individuals' accounts, as well as theft of data regarding bank clients (name, account balance, card PAN, etc.). Valuable documents were stolen from two companies. Employee personal data was stolen from five companies. During the closing minutes of the competition, back2oaz accessed climate controls for the office buildings and could change the temperature settings. Some risks were made possible by poorly protected corporate websites. These include disruptions to the amusement park's online ticketing offices, as well as plane ticket sales and passenger check-in systems on the airport website. However, the majority of risks required first accessing the company's local network. Here, too, we see that attackers started by looking for vulnerabilities in web applications in order to breach infrastructure. Defender teams reported on successful attempts to exploit such vulnerabilities. The first vulnerability was found by n0x in a Nuft system just 19 minutes after the start of the competition. The jury received a total of 433 bug bounty reports. Almost half were SQL injection, while a quarter involved remote code execution. Two thirds of all vulnerabilities were found at the city's Nuft and Big Bro Group. The largest number of risks (8) was triggered at 25 Hours, the mock company that owned the city's business center, HVAC system, traffic lights, and amusement park. The runner-up, with seven unique risks triggered, was oil company Nuft. Only the railroad and port escaped unscathed. Life and limb at risk in one third of cases According to Maxim Filippov, Director for Russian Business Development at Positive Technologies, a third of the risks at the cyber-range could have caused some form of physical harm to people. At the Kommersant business session during The Standoff, he noted some of the novel aspects added to this year's competition. Filippov said: "Every business modeled on the cyber-range has certain risks associated with it: disruption of operations, leak of personal data, loss of confidential documents, and so on. There are no ready-made attack vectors here. Instead, we create a space for red teams with freedom of action to hack and probe systems. We observe as they hack, analyze traffic, and build their attack chains. The result is valuable insight that then gets distilled into our products." Dmitry Serebryannikov, Director of Security Analysis at Positive Technologies, added: " We did not expect half of the risks to be triggered. That's a lot, particularly given that we had little time. This year, the level of attackers has really increased." Mikhail Pomzov, Director of Knowledge Base and Expertise at Positive Technologies, explained in more detail: "This year, the job of defenders was to prove their ability to monitor an incident at every stage. Their overarching aim was to keep an eye on the functioning of services and, as quickly as possible, fix any disruptions caused by the attackers' actions. The defenders were evaluated based on the number of attacks they detected, average incident investigation time, and infrastructure uptime—after all, the longer that services are down, the worse defenders are coping and the more damage is being done by attackers." Hacking doors, banks, and 5G Many hackers dream of gaining physical access to hardware or facilities. Robert Sell, President of Trace Labs, in his talk described the eight steps taken by attackers to obtain physical access to a facility of interest. He showed how criminals (or pentesters) scope out their target, along with the pretexts they have ready in case they are caught. He also talked about tools for breaking and entering, plus ways to cache them in the target building for later use. Today's banks should be less worried about their vault doors and more about their information security. Timur Yunusov, Head of Research at Cyber R&D Lab, demonstrated how many banks are poorly protected against fraud, complete with real examples of attacks on European banks costing hundreds of thousands (or even millions) of euros. Timur analyzed the typical mistakes made by security and risk management teams in the financial sector, along with real-world advice on how to avoid issues. The latest and most complicated solutions—such as machine learning—are often unneeded when it comes to stopping many threats to banks. Instead, banks simply need to follow time-proven steps to address specific vulnerabilities and take a hard look at how much they lose from specific attacks in order to prioritize security efforts.
The Standoff approaches its climax: red teams hack city billboards, rob the bank, and trigger an emergency at the petrochemical plant
The last two days also included 15 talks given by information security experts Disaster has struck the cyber-range at The Standoff! Attackers successfully transferred money from the bank cards of mock-city residents to their own accounts, froze production at the petrochemical plant, and caused a system failure at the airport. By the end of the fourth day, 13 different business risks had been triggered. Meanwhile, in a much calmer but no less exhilarating environment, The Standoff expert speakers discussed current threats to information security, many of which bear relation to COVID-19. These include vulnerabilities in medical image-recognition systems, problems with IP telephony and video conferencing products, and attempts to hack VPNs. A hot day at the factory Red team back2oaz continued their attack on the Nuft petrochemical plant. This time, they gained access to the plant control system, allowing them to close off the inlet valve to the refrigeration circuit. This led to overheating and disrupted the plant's chemical production processes. But the attack didn't end there—soon back2oaz succeeded in completely immobilizing the production process. Were this attack conducted on a real petrochemical plant, and not just in the mock-city of the cyber-range, the situation could lead to the injury and death of factory workers, as well as to toxic spills causing environmental pollution. Attackers once again compromised the systems of the airport in Heavy Ship Logistics: team Hack.ERS succeeded in breaking into the system and making away with passengers' personal data. On Friday night, the blue teams submitted 17 reports on registered incidents. A third were attacks on web applications. The defenders managed to submit 4 reports on incident investigations. On average, blue teams have required nine hours to investigate detected incidents. Earlier this week, the defenders of the business center were the first blue team to submit an incident investigation report, which cataloged the deletion of fines and damages data from the center's computer system. The team took additional time to investigate the incident in detail and understand how each of the two red teams conducted their attacks. It's certainly no easy task to sort out the details of two attacks that took place at practically the same time! On the second day of the event, red teams submitted 63 reports on identified vulnerabilities. They found the greatest number of vulnerabilities in the systems of the companies Nuft and Big Bro Group.
First results from The Standoff: red teams hacked the airport, the municipal system for fines and damages, and the petrochemical plant
The first two days of the event also included over 30 presentations given by information security experts, which were viewed by over 13,000 participants around the globe. Is it possible to trigger a blackout in a megapolis the size of Moscow or New York? Many researchers in information security believe they could do it in just a few days. On The Standoff cyber-range, those claims can be verified. In the course of the six-day cybersecurity marathon, hackers search for weaknesses in the power grid of a digital mock-city, do their best to derail trains, and see if they can successfully disrupt the operations of an airport. A third of the event has already gone by. The attackers have managed to compromise the oil field and petrochemical plant, as well as the IT systems of the airport and business center. Meanwhile, information security experts have given a multitude of fascinating presentations to eager viewers. We've learned how to hack a smartphone with a lighter, install video games on a point-of-sale terminal, and make an AI confuse a car with an ostrich. Keep reading to learn more! Online apocalypse A mere 2 hours and 50 minutes after the beginning of the confrontation, team back2oaz already managed to penetrate the network of the Nuft petrochemical plant (it attracted 60% of all attacks on the first day). back2oaz also succeeded in gaining access to the computer of the director of the Oil Department and stole files containing information on tenders. Another battalion of keyboard-armed gladiators, DeteAct, managed to disrupt the ticket sales system of the mock-city's airport. Now passengers are unable to buy tickets online. The attackers also caused failures in the airport's check-in system, and passengers who have already purchased a ticket have found themselves unable to check in for their flights from their personal accounts—even when using the form of an airport employee. On Thursday night, the city's business center was attacked twice. Teams SpbCTF and n0x broke into the city portal database within two hours of each other and deleted information on fines and damages owed by citizens. "Classical CTFs can't solve the big problems that we face in everyday life—they are focused entirely on theory. The Standoff is an opportunity to examine the real issues that face us—things like failures of medical equipment or problems at oil loading stations, which, of course, are much closer to reality." — Hack in the Box CEO Dhillon Andrew Kannabhiran. "The Standoff isn't just a platform for cybersecurity training— it's an environment that models key IT processes. Organizations can "bring" part of their IT infrastructure to the platform, call in information security experts from all over the world, and those experts will help identify and fix the systems' vulnerabilities before they "burst" into real life and ravage a business." — Andrew Bershadsky, director of the Positive Technologies Competency Center. Hardcore: Snake on a POS terminal and how to hack a smartphone with a lighter Generally speaking, the devices around us run on old and insecure operating systems. This is certainly true of POS terminals, which we use to make purchases in stores every day. Independent researcher Danila Parnishchev spoke about the security shortcomings of Verifone equipment that uses the Verix OS. Parnishchev connected to a POS terminal via an HDMI cable then used an exploit to load on a game application, allowing him to play Snake on the terminal. If a hacker wished, they could load malware onto the terminal instead of an innocent video game classic.
The Standoff: Black-hat hackers combat!
The Standoff cyber-range has experienced a DDoS attack. The attack on the main website IP address occurred the day before, on November 12, and was successfully filtered out by the cloud service of Qrator Labs, a technology partner of the project. More than a thousand addresses from various networks and regions were involved in the DDoS attack. The top 5 countries were Brazil, India, Indonesia, Russia, and Thailand. The recorded traffic was 500 times higher than usual, but the Qrator Labs cloud service managed to catch everything at the entrance to its filtering network, and website visitors did not notice anything. The attackers' attempt to disrupt cybertraining has failed. "The DDoS attack on the web resource of The Standoff cyber-range was conducted by using SYN flood. In a fairly short period, attackers sent a large number of SYN connection requests via TCP. The Qrator filtering network blocked malicious traffic sources from the very first request, and the website continuously maintained its working capacity in normal mode. Qrator Labs keeps monitoring the traffic of the largest cyber-range and will protect it from the most sophisticated network attacks," says Artyom Gavrichenkov, CTO, Qrator Labs.