Publication date: May 21, 2021

The first day of PHDays 10: who blew up the gas distribution station, who deleted information about fines, and how to protect against unacceptable damage

May 20 saw the beginning of Positive Hack Days 10, an international forum on practical security organized by Positive Technologies and Innostage. On the first day, dozens of talks, round tables, and hands-on labs were held at the WTC Moscow. There is news about The Standoff, the largest open cyberbattle—accidents have been added to scams and leaks, and the city’s infrastructure has already been badly damaged by the attackers. However, threats such as a railroad accident have not yet been implemented. There is one day left. It will all end on May 21, but for now let’s summarize the interim results.

On Thursday, the True0xA3 team caused an explosion (in the cyber-range’s terms, the risk was triggered) at the Tube company’s gas distribution station, which serves several urban infrastructure facilities. As a result, the gas supply to the city was cut off.

The attackers continued to compromise the IT systems of Heavy Ship Logistics, the city’s largest transport company, which serves the airport, railroad, and seaport. The most popular activity was scamming the train ticket system (at the time of this writing, the teams SPbCTF, TSARKA, True0xA3 were involved). A little earlier, Codeby caused a malfunction in the passenger registration system, and an hour later Invuls disrupted the passenger information system.

The Codeby team obtained access to a commercial proposal from Nuft, a large regional corporation involved in the extraction and processing of petroleum products. As a result, a major tender for the company was disrupted. The same team deleted information about citizens’ fines in the computer system of 25 Hours, which recently won a tender to modernize and manage the traffic light network. The citizens are happy, but the treasury is out of half a billion. If the management of 25 Hours does not take measures to prevent similar incidents, then the city officials may reject their incompetent cooperation.

The folks from True0xA3 once again became interested in the FairMarket retail chain. This time they changed the price tags in the ERP system. Codeby repeated the True0xA3 team’s efforts to coerce the store into illegal alcohol sales by breaking into the store’s ERP system and removing a special excisable product mark from hard liquor items. Several teams succeeded in leaking the personal data of employees and stealing strategic documents.

By the 56th hour of the battle, True0xA3 was in the lead, with Codeby in second place, and SPbCTF in third. Many well-known cybersecurity experts spoke at the forum at the same time.

«PHDays: The Origin» — the beginning of a major common cause

In information security, the most important thing is practice, says Boris Simis, Deputy CEO of Business Development at Positive Technologies: «The manager of one of the partner companies, whose employees worked at SOC for The Standoff in the fall, suggested increasing the specialists’ salaries, since they saw in seven days as many attacks as they might have observed in five—seven years. This allowed them to essentially ascend to another professional level,» Boris recalled during the round table «About PHDays, and why we hold it.»

Denis Korablev, Product Director at Positive Technologies, admitted that he had never imagined two writers writing books together. «However, the new task (the practical implementation of Information Security 2.0) taught us to combine the strengths of the development teams into a single whole and to stop thinking in terms of individual products and niches. The work was herculean, and someday we will write a book about it, which we must do together,» said Denis Korablev.

«All these years, many companies and people have been working on PHDays, investing their knowledge and their soul, and providing equipment and products,» said Boris Simis. «But this year, for the first time, we have a full-fledged co-organizer, Innostage, and we are extremely grateful to them for that. We also invite other companies to be co-organizers. We want PHDays to become a common cause.»

How Tinkoff started antifraud development

Rostelecom-Solar held a round table «Economics of practical cybersecurity.» The round table was moderated by Vladimir Dryukov, Director of Rostelecom-Solar’s SOC, called Solar JSOC.

«Technologies,» says Vladimir Dryukov, «are the foundation of information security, but in practice, information security is still a story about people.»

Dmitry Gadar, Vice President and Director of the Information Security Department of the Tinkoff Group, who began his career developing cryptographic protection and analysis tools, agrees with him.

«Large-scale fraud began in 2008, and then we started developing the first anti-fraud system,» recalls Dmitry Gadar. We threw it together, in fact. Such situations determine the security specialist’s ability to adapt to the circumstances and add real value. Currently, a security specialist must possess basic knowledge of mathematics, networks, operating systems, and other fields. Knowledge of security tools is not the most important thing, since pressing buttons in ArcSight can be taught quickly enough. There are not enough people who understand how network protocols, operating systems, and other basic things are set up. On the other hand, I tried to hire strong IT specialists, and it doesn’t work that way either. They are deeply convinced that, with the right set of security tools installed and properly configured, the company will be completely safe. But this is not the case. A security specialist must have a certain degree of paranoia. Belief in the existence of an ideal set of security tools will lead into trouble."

Roman Popov, OTEKO, admitted that he first considered that toys from a monitor screen could influence real life when the Stuxnet story broke. «Today, if you have a zoo of various equipment, it is best to turn to MSSP. Furthermore, MSSP is a story of exclusively recent years,» noted Roman Popov. Denis Andrievsky, Managing Director of Innotech, discussed the size of cybersecurity centers at major companies: Sber employs about 400 people, VimpelCom has around 40, and NLMK has about 60 people.

Thinking is cool. Twenty practical OSINT methods in digital world

In his talk, Avalanche CEO Andrey Masalovich examined techniques for OSINT, collecting and analyzing intelligence information obtained from publicly available sources, which allow you to efficiently extract private and even classified information without resorting to hacking. "We have started to be spied on by devices, and today, as the physicist Max Born said, modern science is killing modern ethics. What is currently happening with scientific and technical achievements, new technologies and gadgets, does not make our life happier: it is similar to the appearance of the first machine tools, when people became their "appendages"," remarked Andrey. The expert showed how to extract data about a secret delivery from open logistics bases, look for leaks in the cloud storage facilities of Amazon, Google, and Microsoft, find a private user account in Telegram, or determine the phone number of a channel administrator, and also talked about tricks to detect any services tied to a subscriber's phone, including Sberbank Online and e-wallets, as well as the capabilities of spy services.

Be careful with group names on WhatsApp

Speaking at thrEat reSearch Camp, a separate defensive track at PHDays for presentations on incident response, threat intelligence, threat hunting, OSINT, and malware analysis, Kaspersky Chief Expert Sergey Golovanov discussed the most impressive incident response efforts over the last two years, with a focus on new realities during a pandemic.

«We are talking about the mass of problems associated with remote workplaces. Many companies have created a huge number of RDP servers and made remote workstations on them. As a result, we witnessed large botnets that „crawl“ and try RDP passwords. In 2020 we observed a significant increase in incidents that originated from a bad password on an RDP server,» he said.

According to him, working remotely also highlighted other unexpected "weak points"—for example, work communications over instant messengers. «Messengers «leak» the names of work groups. If someone named a group on WhatsApp «Incident such-and-such place, such-and-such time» then congratulations, you yourself just confessed to Facebook that you have an incident. The groups should be called, for example, «Choosing a birthday present» or «Let’s go to Moscow,» the expert quipped.

Information security at Tele2

Nail Ainetdinov, Head of Information Security Audit at Tele2, spoke about the work of his department, which carries out dozens of audits a year, including ones of corporate systems, client products, and technological components of mobile networks. The department follows a risk-based approach. Nail Ainetdinov noted that this approach is suitable for ranking audit results and linking discovered vulnerabilities to specific risks. «We associate vulnerabilities with risks instead of simply giving customers a list of threats. We name the risk, then spell out which vulnerabilities need to be closed so that the risk cannot be implemented.» In addition, Nail remarked that holding the conversation about risks at the highest level often helps improve infosec and IT practices. "Top managerial awareness of information security has been growing lately thanks to publications about leaks and news about ransomware. Executives are wondering if something like this could ever happen to their own company.

It is vital for us and the management to speak the same language. We try not to use jargon or abbreviations, and for greater clarity we show demo videos explaining how a particular risk could have happened." Among the main risks for the telecoms industry, Ainetdinov named data leakage, communications privacy, and communications outage (regulatory risk).

Hacking mobile apps

On day one of the PHDays 10 forum, infosec analyst Akshay Jain spoke about the security of mobile apps for Android and iOS. His presentation examined ways to compile code using the Frida framework for injection into apps, and demonstrated real-time hacking scenarios for bypassing jailbreak detection methods and SSL pinning protection. «There are different Frida detection mechanisms, of course. On top of that, there is the DetectFrida project, which lets you use certain libraries to determine whether the framework has been injected into the app or not. To bypass this protection, Frida, Gumjs, and other reference values should be removed,» explained Jain.

It takes one person to detect and stop a cybercriminal

At midday, Positive Technologies experts Andrey Bershadsky, Denis Baranov, Alexey Andreev, Denis Korablev, Mikhail Pomzov, Alexander Morozov, and Anton Tyurin spoke about a new concept of information security that introduces the notion of unacceptable events and helps avoid them. You can watch the complete video of the talk on the forum’s website, but for now we'll share a few highlights.

Denis Baranov, Managing Director at Positive Technologies, said, «The goal of the new concept is to detect hackers when they’re moving toward carrying out an unacceptable threat, but without overwhelming our duty shift. To solve this problem, a company needs to do two things: hardening and monitoring.»

Andrey Bershadsky, Director of the Competency Center at Positive Technologies, said that today' online attacks are capable of knocking out the electricity of large cities, and furthermore, if you want to remove unacceptable threats, it is not sufficient to perform an ISO/IEC 27001 audit, pentests, or red teaming.

«We’ve recently been conducting interesting projects, where first we’re the ones being tested and then we do the testing,» Andrey Bershadsky said. «If we, Kaspersky, Bi.Zone, and other major players were unable to carry out the unacceptable threats, we could be sure that the mechanisms we’re using are protecting us completely from events that affect operations.»

Denis Baranov noted in his talk that when it comes to attack prevention, there are limited human resources. «In Russia we have around 50 SOC experts with high-level qualification and around 100 people at the middle level. Based on our observations of our customers, partners, and colleagues from cybersecurity companies, we see that companies are going in circles and largely doing the same work. That means it can be automated,» Denis Baranov said.

What is hardening? «One of our colleagues said: if I want to protect a bank, buy me pliers and I’ll pull out all the wires that lead to it except for the wire to the chief accounting officer’s PC,» Denis Baranov said. «That’s the basic idea of hardening, which you’ll need to do in one way or another—for example, by removing from the perimeter services that lead to the occurrence of unacceptable risks. The second method is to cover all the systems with an automated response and make sure that every threat model that hackers and pen testers may generate when they break into the network is under the lid. The complication lies in the fact that a network often looks like a little pancake and the number of features that need monitoring is massive. But if you achieve a balance between hardening and monitoring, the concept is workable.»

«When you go to the IT guy with a question about the company’s key concerns, it’s easy to name threats, such as a boiler exploding or someone stealing money. But IT often doesn’t know which systems these risks relate to because the infosec and IT departments aren’t closely connected to business and operations,» Denis Baranov explained. «To address that, we’re now offering our Asset Management system, which has been retooled for the new concept. This system allows you to correlate threats with assets. Another standard question to ask the customer is, where on the perimeter are your systems that will be entry points for a hacker? No one can completely answer that question. They’ll usually show a list of systems with two interfaces outward and inward. So what do you do with update servers where systems run on their own, with segment telemetry in ICSs, or with blockchain transaction vulnerabilities?»

There are a lot of ICSs that receive updates from the vendor, and some ICS specialists are still convinced that the technological segment is isolated. Systems can be attacked through blockchain transactions and many other entry points that aren’t entirely obvious.

«When you know the perimeter and target systems, you live with that,» Denis Baranov continued. «Then you need to determine which systems have network connectivity with the target asset on which the attack is unacceptable. The second factor is, which users have even minimal access to this system that is needed for an attack? Somewhere in the middle, in the little red square (diagram below), there will be users who actually need to be able to access these systems. All the other permissions and accesses need to be turned off. Of course, to find them, you’ll need to talk to the operation team. The ultimate goal is to move risky assets into separate subnetworks and segments.»

Denis cited the example of covering the threat model for the MS Exchange enterprise email service: «A person is divided into six parts, but in the hacker’s eyes this message system is divided into three parts. The first component is the correspondence. If you take a solution from the Gartner ratings, you see that correspondence remains outside the area of their interest. Not a single set of third-party solutions—which need to protect against social engineering—passed the tests done by our colleague Yaroslav Babin, a specialist in social engineering. These days attackers understand that it’s not productive for them to send attachments. So what they do is register a domain name that is similar to your company’s domain name, but they don’t send you email from it. They just wait for one of the 60,000 employees to make a mistake and send a message to their address. Then the attackers impersonate the help desk, for example, and in that way convince this lucky person to share their password. Consequently, the product needs to take into account all similar domain names and other signs of social engineering.»

According to Denis, the second layer of threats to MS Exchange is Exchange Web Services (EWS), which allows your smartphone to sync with the server and receive email. «In real life, a hacker isn’t going to look for an SQL injection on this living web application. They’ll find the vulnerability in Exchange on their own machine and strike once. But there’s something worse. For example, there are services that let someone receive accounts that are on your network, and the WAF doesn’t give you a notification. If an attacker receives a list of accounts and then goes to log in through Citrix, for example, they’ll have the option of automatic attribution. This means that WAFs don’t protect the web in such a vulnerable place as email, and the threat model remains uncovered,» Denis said.

The third network layer is related to network protocols. «All knowledge bases connected to IDS and IPS need to be divided into two groups: protection from an internal attacker and from an external attacker. For the purpose of discussion, let’s say that no one can ever access the domain controller with administrator privileges from the computer used by Alice in accounting. Internally, behavioral analysis is important for us, while externally it’s important to understand current attack methods. We ourselves have not perceived our products entirely correctly. Now our requirements have changed. For example, we assess PT MultiScanner from the perspective of maximum coverage of the threat model as well as from the perspective of recommendations on hardening. If an attack doesn’t occur, PT AF is supposed to learn to give hardening recommendations—for example, by saying which users have weak passwords,» Denis Baranov added.

In their talk, the experts lifted the veil on a new type of Positive Technologies meta-level products that solve problems like this, and they performed a series of experiments. More information on the new products will be released soon.

Payment terminal as a weapon

In Payment Village, a special demonstration zone, banking system security experts tell and show how various payment devices work and what vulnerabilities they contain, and share interesting case studies from security analysis projects. After getting acquainted with the theory, participants can try their hand at hacking an ATM, cash register system, or POS terminal.

According to Timur Yunusov, one of the PHDays organizers, «cybercriminals can turn a payment terminal into a weapon for attacking acquiring banks, issuing banks, and cardholders. Their imagination knows practically no bounds.» Not for nothing does PHDays traditionally place special emphasis on the security of payment instruments and banking systems.

The number of attacks on retail has skyrocketed

Positive Technologies analyst Yana Yurakova spoke about trends and forecasts in the information security industry.

In particular, she noted a significant increase in attacks on the industry and medical institutions. Each of these sectors experienced 91% increases. According to Yurakova, medical institutions and industrial companies will remain among the top targets. However, perhaps this year we will start to see a decline in attacks on medical institutions if the pandemic subsides or comes to an end. According to Positive Technologies analysts, the number of attacks on the retail sector has increased sharply. Experts in particular attribute this to the hasty transitions that businesses made to online-only operations during the COVID-19 pandemic. Yurakova also named some other trends that, unfortunately, will not abate in the future, but will only intensify, including an increase in attacks using ransomware, supply chain attacks, as well as attacks on cloud systems and virtual infrastructure.

Threat intelligence: current capabilities and advantages

Threat intelligence suppliers and consumers discussed specific areas where TI could be deployed at a special round table at PHDays 10, including the different levels of TI, difficulties in working with it, the use of feeds and indicators, and, most importantly, the benefits of organized cyber intelligence.

Sergey Kuznetsov, Head of Product and Server Support at ESET, noted, «You need to start by accepting the fact that you are already under attack. Once you accept this, you cease to question whether you actually need TI (and in what form). You start looking for ways to understand who exactly is attacking you, how exactly you are attacked, and what needs to be done to prevent this attack from going through.»

Vladimir Kuskov, Head of the Complex Threat Research Department at Kaspersky, is sure, «Everyone needs threat intelligence, but why it is needed will vary depending on the particular organization. You can start with free offerings. It is better to use a free solution than none at all.»

For his part, the Lead Analyst at JSOC (Rostelecom-Solar) Maksim Zhevneryov spoke about what he sees as the clear benefit of TI. «When a serious attack is underway, threat intelligence helps you understand if you are the only one who has encountered such an attack. When you query TI and you get back zero information on specific hashes, IPs, and techniques, it mobilizes researchers to level up their game by finding out more about the attack.»

On investments in information security

Evgeny Kogan, investment banker, host of the Telegram channel @bitkogan, and professor at the Higher School of Economics, touched upon the topic of investments. «Investors are all different. Some need only financial metrics, while others may be ready to take a deeper look and assess what the company is doing, how many products it has, who its customers are, and draft forecasts of future customers—that is, to analyze the industry. In the case of information security, its primary capital is, first of all, human resources. And today the value of human capital and brainpower is growing strongly. A hacker, like an investor, is a cynical and pragmatic creature. The hackers and you are constantly sparring as though it were a boxing match. As the defenders, you must face down challenges every time. I understand that in another six months or a year, the attackers will come up with something new. The confrontation between hackers and defenders is an eternal battle. First of all, managers can and should understand the problems that their company faces. They must go deep. They shouldn’t just throw money at the IT department all while blindly trusting the „smart guys“ over there to handle everything. Infosec companies will turn out much more important in the future than many of those seeming more significant today.»

Make the world a safer place, and Intel

Dmitry Sklyarov, Head of Application Analysis Department at Positive Technologies, spoke about his many years of experience studying the Intel ME subsystem together with his colleagues Maxim Goryachy and Mark Ermolov, paying special attention to the importance of the "responsible disclosure" of information about vulnerabilities. Dmitry noted, «Every time we discovered something „tasty,“ we made sure to inform Intel about it. Because if someone starts to exploit existing vulnerabilities, it will not be Intel who will suffer. Rather, it is their customers, the ordinary users and companies, who will. Yes, we did our research because we thought that it was interesting. Yes, we were paid money by as part of a bug bounty program for some of our finds. But the ultimate goal was to advance the slogan I borrowed from the Troopers conference—make the world a safer place.»

Fault in our stars: cross-application satellite control

XEN1THLABS researcher Tanoy Boze’s presentation «Fault in our stars: cross-application satellite control» touched on the topic of attacks on satellites, which will be of interest to information security enthusiasts. He described how satellites can be divided into three types: space, end user, and terrestrial. An attack will be customized to each type. The expert noted, «Attacking end user satellites requires hacking IoT devices, satellite phones, or communications equipment—in other words, the actual stack of satellite communication applications. For example, an attack on a satellite phone will mainly target the satellite phone network.» Space satellites, according to the researcher, have two main stacks: a software and control stack, which controls the satellite itself, and a payload, where other programs running on the satellite are located. Tanoy Boze explained, «More often than not, attacks are directed not at the satellite itself, but at the application software that it manages. By hacking this software, you can get full access to the space satellite.»

The co-organizer of the forum, Innostage, has deployed and maintains The Standoff infrastructure as well as monitors and controls the actions of the teams. The forum's business partner is Rostelecom-Solar, a national provider of information security services and technologies. The technology partners of PHDays are the Russian private chain of supermarkets Azbuka Vkusa, the electronic payment service, and the developer of remote banking service solutions iSimpleLab. The following companies participate in PHDays: Axoft, Cross Technologies, ICL, OCS Distribution, R-Vision, Security Vision, and Jet Infosystems. The competition program partner is ARinteg.

All news