News
The Standoff in Abu Dhabi: citywide cyberbattle takes the international stage
Competition held at HITB+ CyberWeek in UAE, winners hail from Russia The Standoff, a three-day hyperrealistic tournament testing the skill of more than 60 security specialists from multiple countries, has concluded in the United Arab Emirates. As part of Hack In The Box (HITB_+_ Cyberweek), attackers (red teams) tried to steal money from a mock city's bank, cause an oil spill, bring trains and traffic to a standstill, and make street lighting go haywire. Their efforts were opposed by defender (blue team) counterparts. The Standoff is no generic Capture The Flag competition. Unlike traditional CTFs, it pits teams of attackers and defenders against each other. The infrastructure of the imaginary city of Kabakas was featured in a huge diorama (17 square meters, or approximately 183 square feet) so that viewers could observe the aftermath of attacks. This faithful recreation of the digital infrastructure of an entire city included modern systems and hardware including ICS/SCADA, e-banking, and building automation. This enables professionals to model real situations and hone their skills at defending systems and monitoring security. First held in 2016, The Standoff had previously taken place only in Moscow at PHDays, a conference organized by Positive Technologies. Hack a chemical plant—or a Ferris wheel A total of three defender teams and nine attacker teams took part. Defenders secured three different companies, responsible for the city's oil and gas, transportation, and energy. Targets included an ammonia factory and electrical substation, oil storage tank and loading terminal, railroad, traffic signal and street lighting management, heating and air conditioning, and even a Ferris wheel. The city had its own bank as well. Mikhail Levin, one of the organizers of The Standoff, said: "Many teams, being used to collecting flags in standard CTFs, were initially at a loss for what to do. Like in real life, in The Standoff you can use practically any hacking technique that exists. What's more, only by smartly combining these techniques is it possible to achieve victory in The Standoff. Those playing for the bad guys could attempt ambitious APT attacks or even sabotage—think oil spills, lights-out on city streets, and rail accidents. These threats are international in nature and training needs to be more than just theoretical. In the real world, security teams have a limited number of tools available. So at the contest, defenders had only NGFW and WAF solutions, which still made life much harder for hackers. These automatically blocked all head-on attacks, forcing red teams to camouflage themselves and modify their standard tools. By exporting a competition originally dreamt up at PHDays, one of the largest security-related gatherings worldwide, we have succeeded in making extremely realistic hacking competitions accessible to a much broader community." Chronology: day by day Attackers could earn game currency in a number of ways: stealing it from bank accounts, mining it, and by participating in the bug bounty program. But mostly they made money by completing tasks. On Day 1, attacker teams scoped out targets using public sources (OSINT). For instance, they identified corporate email addresses for all three companies and sold them to spammers. Several teams informed of minor vulnerabilities as part of the bug bounty, but were unable to make use of them to escalate privileges on target infrastructures. Defenders did not report any incidents for the day. On Day 2, attackers continued finding information of value (email addresses and phone numbers) on corporate websites and selling it to spammers. But two teams pulled ahead. Team True0xA3 (from Russian company Informzashchita), which already had prevailed in The Standoff at PHDays 9, hacked the corporate network of the oil company. There the team found confidential correspondence and information about executive salaries, yielding 500,000 points. Another high-achieving team was Team 404, which combined silver and bronze winners from the CTF Cyber Battle of the Emirates, which had been held at HITB previously. The team obtained access to bank accounts of a third of the city's population (50 out of 150 accounts, each account holding 13,500 of game currency) and even managed to automate transfers of the money to an offshore bank. By day's end, they had racked up 660,843 points. Among other notable events on the second day, defenders of the energy company from the team Short Notice (UAE) detected malicious activity (use of vulnerabilities and downloading of malicious shellcode) on the border of their network. They investigated this activity and informed regarding the attackers' actions. The attackers were ultimately blocked and pushed off the company network. The leveraged vulnerabilities were subsequently closed. On Day 3, True0xA3 got onto the process network of the oil company. They interrupted operations by shutting a valve, which stopped oil from pumping through the pipes. The team also completed a second task by changing the maximum tank level indicators and causing a reservoir to overfill. This resulted in an oil spill. Results The winner of The Standoff was True0xA3. Only they and one other team, n0x, found a way to mine cryptocurrency and obtain access to hosts on corporate infrastructures. This enabled True0xA3 to complete two high-value tasks and nab victory from Team 404, which took second place partly on the strength of having stolen money from bank accounts. The highest-rated blue team was Short Notice. These defenders were the most diligent at ensuring the availability of services and regularly reported on incidents, including discovered miners and compromised accounts. They also announced detection of a stager (small payload module designed to place the rest of the payload on the victim system). Levin added: "Our plans include working with other major cybersecurity conferences to gradually turn The Standoff into the de facto standard for security competitions. In parallel, we will be striving to make The Standoff available 24/7/365 so that teams from different companies can participate and train remotely. Two or three days is just not a lot of time for setting up multistage attacks on an unknown target or mastering complicated detection techniques. Having a resource that's always available will help everyone to get the absolute maximum out of this format."
The Standoff cyberbattle in review: how Positive Technologies Expert Security Center tracked the action
At this year's Positive Hack Days, teams of attackers, defenders, and security operations centers (SOCs) waged cyberbattle in The Standoff for the fourth time, fighting for control of a mock city's digital infrastructure. Attackers acted just like real cybercriminals aiming to steal money from a bank, pilfer confidential data, or cause an industrial accident. They raced to complete tasks and earn points. Meanwhile, defenders and SOCs protected targets and countered the attacks. This year, The Standoff also included a hackathon for developers (covered in a previous article). The Positive Technologies Expert Security Center monitored events from start to finish. They analyzed the events detected by Positive Technologies products: MaxPatrol SIEM, PT Network Attack Discovery, PT Application Firewall, PT MultiScanner, and PT ISIM. As a result, they were able to reconstruct a full picture of the battle. Read on for an account of what happened during The Standoff and how the teams comported themselves during attacks on the city's facilities and infrastructure. City F infrastructure City F has grown to become a true modern digital metropolis. The city infrastructure included an electrical plant, oil refinery, and petrochemical plant, all owned by Big Bro Group. All industrial processes were controlled by modern industrial control system (ICS) equipment. City F had an airport, sea port, and railroad. The city also hosted Hedgehog Airlines and Heavy Ship Logistics. The digital infrastructure included offices of Future Electronics (IT company), Behealthy (insurance company), City-F Media Group (media holding), and even Voshod (soccer club). Streets were bustling with cars, supported by fully automated traffic lights and roadside lighting. The mock city was densely populated, with people working in offices and industrial companies while living in modern houses. No luddites, they enjoyed all the conveniences of the digital age, including E-Coin Bank as well as mobile communication services and Internet access from operator Future TeleCom.
The Way of the Industrial Ninja: PLC hacking at PHDays 9
This year's PHDays 9 included Industrial Ninja—a contest of skill at hacking a gas pumping facility. At the PHDays venue, we created three stands that, at different levels of difficulty (No Security, Low Security, High Security), emulated the same industrial process: pressurized air was pumped to inflate, and then deflate, a balloon. No matter the security level, the hardware in each of the stands was identical: an S7-300 Siemens Simatic PLC; emergency deflation button and pressure sensor (connected to the PLC's digital inputs); and intake and outlet valves (connected to the PLC's digital outputs). You can see these components in the following picture:
The Standoff developer hackathon: a fun debut
At PHDays 9, we added something new to The Standoff: a hackathon for developers. Teams of attackers and defenders fought for control of a mock digital city, as usual. But all the while, there were also developers working around the clock to make application updates and maintain uninterrupted uptime under a crush of attacks. Four teams applied to take part in the hackathon. Each represented a different non-commercial project. Of them, only Bitaps (bitaps.com) made the cut. Bitaps publishes analysis of the blockchain of Bitcoin, Ethereum, and other cryptocurrencies, in addition to offering payment processing and developing a cryptocurrency wallet. A few days before The Standoff was due to start, we gave Bitaps remote access to the game infrastructure in order to install their application (which was hosted in the unprotected segment of the city network). During the game, attacker teams, in addition to their usual attempts against city infrastructure, could scour the Bitaps application for vulnerabilities. The attackers sent a bug bounty report for each vulnerability found. The organizers verified these reports and gave the developers the opportunity to implement a fix. For each confirmed vulnerability, the relevant attacker team was rewarded with in-game currency and the developer team was penalized. What's more, the organizers could shake things up by sending feature requests. The developers worked feverishly to add functionality without creating new security issues. Success was measured in money: implementing feature requests, as well as each minute of proper application operation, brought credits. But the developers lost money for each vulnerability, each minute of downtime, and each minute of improper operation of the application. Our bots monitored the situation closely: if they detected an issue with the application, we informed the Bitaps team and gave them a chance to resolve it. No resolution? Get ready to see losses. Just like in real life! On Day 1, the attackers gently probed for vulnerabilities, finding only a few minor ones that were fixed quickly. Around 11 p.m., when the developers were feeling snug and safe, we caught their attention with a feature request. The feature was a tricky one: based on the application's existing payment processing capabilities, the developers' job was to implement a service to transfer tokens between two wallets by clicking a link. The payment sender (application user) should go to a special page, enter an amount, and set a one-time password for the payment. The application then should generate a unique link, which is sent to the payment recipient. The recipient opens the link, enters the one-time password, and indicates the wallet to credit the payment to. Filled with excitement, the team got down to work. By 4 a.m. link-based token transfers were ready to roll. This quickly caught adversaries' attention. After a few hours, attackers succeeded in finding a minor XSS vulnerability, which they reported. We checked and confirmed it. The developers made a fix. On Day 2, the attackers turned their full attention to the offices of the virtual city. With this respite, the developers could finally rest after a very long night.
IDS Bypass contest at PHDays: writeup and solutions
Positive Hack Days 2019 included our first-ever IDS Bypass competition. Participants had to study a network segment of five hosts, and then either exploit a service vulnerability or meet a particular criterion (for example, send a certain HTTP response) in order to get a flag. Finding an exploit was easy, but the IDS complicated things as it stood between the participants and the hosts, checking every network packet. When a signature blocked the connection, participants were informed via the dashboard. Here are details on the tasks and the ways to solve them.
PHDays 9 Competitive Intelligence contest: writeup and solutions
For eight years now, the Competitive Intelligence contest at PHDays has provided participants with the opportunity to test their skill at searching for information while learning new OSINT techniques. This year's tasks centered on a fictional information security company specializing in a particular vulnerability. Participants had to dig up information on people related to this company, but do so without hacking, using only their wits and various online resources. They had to complete 19 tasks, each worth a certain amount of points depending on complexity: Company real name IDOR specialist username IDOR specialist location IDOR specialist work e-mail IDOR specialist personal e-mail Secret employee mobile phone Secret employee username Secret employee birthday Secret employee university Nightly programmer private username What the flag? Second employee IM username IP used in PoC Alexander's real lastname Peter's primary e-mail Peter's secondary e-mail Peter's password Donation wallet number Software which was downloaded from IP 77.71.34.171 In the text that follows, we will describe how to complete each task. Company real name — 10 To start with, participants were given a description of the company: nfsg64ttmvrxk4tjor4q. Solving this introductory task required performing a Google search. The results provide information about the company's domain:
AI CTF: writeup and solutions
At PHDays 9 we decided to take a look at the grittier side of artificial intelligence and machine learning. Our task-based capture the flag contest, AI CTF, put participants through their paces to test knowledge of AI-related security topics.
The Standoff winners at PHDays qualified to participate in HITB CyberWeek
World's top 25 CTF teams will battle for $100,000 at the HITB CyberWeek conference in Abu Dhabi from 12 to 17 October 2019. The best attacker teams of the last two PHDays (True0xA3 and Hack.ERS) were invited to participate in the finals in the UAE. To recap, Hack.ERS (Deloitte) pulled out a victory last minutes of the contest. One hour before the end of the cyberbattle, the city defenders decided to try living without its antifraud system. The team Hack.ERS rose to the occasion by cleaning out the bank. Previously hovering around last place, Hack.ERS rose to kick CAICA (last year's champions) out of first place. "It is exciting that PHDays keeps such high standards abroad, and The Standoff winners may try their hand at competing with the best CTF teams in the world. We are eager to take any opportunity to build up team spirit, better coordinate team efforts, and feel connected to the international IS community," says Ivan Nagornov, Hack.ERS captain. In 2019, True0xA3 (Informzaschita) remained a leader during the whole two days of the contest using loads of various techniques. The team hacked vulnerable infrastructure objects and kept them under control for two days. "I still cannot believe that we are going to compete with such teams as PPP and Eat Sleep Pwn Repeat in the UAE. The victory inspired us to take a shot at even bigger challenges. "The fact that The Standoff winners are going to take part in Hack In The Box, one of the leading IS conferences, and will go to the UAE for free, is simply exciting," says Vitaly Malkin, Head of the security analysis department at Informzaschita, True0xA3 captain. Of course we are happy to be the strongest team in the CIS. But we would like to show what we can do at the global stage and share experience. "Hack in The Box is held since 2002 and is one of the most important information security events in the world. HITB CyberWeek is like world cup finals among hacker teams. The fact that The Standoff winners from 2019 and 2018 were invited to participate in the finals without try-outs is recognition of the PHDays contest high level," says Mikhail Levin, member of the PHDays organizing committee and The Standoff organizer. "The Stand Off is easily one of the most challenging attack and defense contests around. The fact that teams are essentially competing to find real-world vulnerabilities and simulating what attackers are doing in the wild is simply amazing! We are extremely excited to have not only the winners from PHDays 2019 joining our CyberWeek PRO CTF, but also the champions from 2018. Simply put, this competition in October is going to be one of the greatest gatherings of pure CTF talent under one roof," says Dhillon Andrew Kannabhiran, Founder/Chief Executive Officer, Hack In The Box. Read more about CTF in Abu Dhabi at the HITB CyberWeek official website: .
PHDays: to the nines
PHDays 9 has finished, having brought together a record-breaking 8,000 participants. Information security experts, journalists, politicians, and artists, as well as representatives of business and government from all over the world, attended over 100 talks. In contests, attackers hacked a gas pumping facility, ATM, Tesla cars, and more. The evening wrapped up with a live rock concert. Today we will announce the results of some contests and highlight a few fascinating presentations from Day 2.
PHDays 9 features a secure development section
At Positive Hack Days 9, a section supported by the Positive Development User Group community will be open for two days. Participants can attend 12 presentations on secure development. The first half of each day will contain technical reports, the second half will contain those on business processes. May 21 Vladimir Kochetkov and Valery Pushkar (Positive Technologies) will share their experience of developing an efficient static analyzer of JavaScript code, and will demonstrate how the analyzer works, using tough examples. Sergey Khrenov (PVS-Studio) will talk about SAST, CWE, CVE, SEI CERT, DevSecOps, and will explain programming standards that help to create reliable applications. Mikhail Shcherbakov (KTH Royal Institute of Technology, Sweden) will make a presentation on vulnerabilities in deserialization in .NET. Participants will also learn what .NET serializers are vulnerable, what tools can be used to search for vulnerabilities, what payloads are known for .NET applications. Alexander Chernov (Moscow State University) and Ekaterina Troshina (Higher School of Economics) will talk about consistently cultivating secure development from the very start of training. They will formulate goals and objectives of secure development training, using the basic course of low-level coding and operating systems as an example. The presentation of Sergey Gorokhov (EPAM Systems) will explain how to bring software to compliance with GDPR, and what to do if the client wants "a GDPR-compliant product." May 22 Pressing security issues of Android applications will be discussed by Dmitry Tereshin and Nikolay Islamov (Tinkoff Bank). They will point out the causes of vulnerabilities in Android apps, which were not sufficiently covered by OWASP guidelines. Alexey Dremin, an independent expert, will make a presentation on establishing a pipeline of continuous application security check. He will explain when the pipeline must be launched, which integrations with CI/CD are required and how they are to be done, where to save and process the results. Vladimir Sadovsky (M.Video) will talk about establishing secure programming process. He will talk about architectural design, automated tests, identification of business logic errors, and bug bounty. Alexey Ryzhkov (EPAM Systems) will draw upon EPAM experience of establishing the process of security impact analysis of every feature. Sergey Prilutsky (MixBytes) will discuss automatic security audit of smart contracts. He will explain the peculiarities of executable code of smart contracts and analyzers for them, using Ethereum Virtual Machine as an example. He will also discuss vectors of attack on smart contracts and capabilities of their automatic detection. Presentation of Vitaly Katunin (EPAM Systems) covers security risk assessment. Participants will learn how to make risk assessment transparent for all stakeholders and how to achieve backward compatibility of threats and security requirements. Anton Basharin (Swordfish Security) will share his experience of automating AppSec processes, collecting metrics, visualizing and analyzing them. How to join the section Tickets are traditionally free for members of the PDUG community, but their number is limited to 100. To get your ticket, apply and wait for confirmation. Please indicate your real name, or the organizing committee will have to reject your application. After your registration is confirmed, you will receive your invite in an email. Registration closes on May 17. You can watch videos from previous PDUG sections on our YouTube channel: youtube.com/channel/UCpcLVW5yxexISUIRbYBw_9w