Chronicles of Confrontation: how to hack the whole city in two days

It has long been known that the battle of IB specialists with network attackers looks like beautiful spectacles only in Hollywood movies. In fact, both real attacks and security contests more often resemble mathematical olympiads, the beauty of which only a few can appreciate.

Nevertheless, this year the organizers of “ Confrontation ”, the main competition of the Positive Hack Days VII conference, did everything possible to solve this controversial task - to make the competition as close as possible to reality, but at the same time quite understandable and interesting for all other conference visitors. And we think it succeeded. In just thirty hours of competition, the hacker teams demonstrated a number of successful attacks on the facilities and infrastructures of the modern city, actively using both wireless communication and low-level vulnerabilities of industrial control systems, simple brute force and complex multi-stage invasion schemes.
')
In this article we will try to restore the chronology of the main events, as well as to summarize some of our large-scale cyber attacks.

First day: exploration and warm-up

11:00

Participants of the "Confrontation" are seated in their seats, study stands. Attacking teams begin to make the first scan of the network. Teams of defenders continue to set up security systems and begin to explore traffic.

And they need to protect the whole city in which the telecom operator, two offices of the companies, thermal power station, electrical substation, oil and railway companies operate. In addition, the city has a number of devices of the new Internet of Things. In accordance with the rules of "Confrontation", teams of defenders distributed objects among themselves.

13:00

One of the hacker teams makes an attempt to enter the zone where the defenders are located - and comes out of it with materials about the infrastructure and network topology.

In such offline attacks, social engineering is applied. One of the teams uses fake organizer passes, trying to get data from defenders. Representatives of the other team under the guise of journalists "socialist" the organizers of the "Confrontation".

2:00 pm

Two teams send the first non-critical vulnerabilities to bug bounty. One of the vulnerabilities was found in the smart home control controller.

4:00 pm

For the time being, the competition is unhurried: only in the second half of the day, the attacking teams start to score points, mainly due to the fact that they find e-mail accounts and credit card numbers in the city’s digital infrastructure. But the rewards for such discoveries are small: from 100 to 500 publications for the account. Public is not a typo, but a virtual currency of the city. BIZone leads the ranking: they received 100,000 for hacking the defenseless website of one of the companies.

5:00 pm

The CARK team finds accounts in TeamViewer, which is used to
remote control of the transport management system in the city infrastructure. Having entered the dispatching system under these accounts, hackers switch traffic lights to day mode during the day. But the traffic at the same time almost does not change, and after some time, everything returns to normal operation.

19:00

CARKA rises sharply in the first place: the hacker group from Kazakhstan managed to intercept the SMS of the mayor himself. In these secret messages, serious compromising material was revealed, which allowed the CARK team to immediately receive 150,000 publications. How did they do it? Listened to the radio, using an osmocom phone or SDR (they have both).

22:00

The teams CARK and BIZone are starting to make raids on the stands, trying to connect to everything that is available.

00:00

The most vigilant team of defenders - Jet Security Team - is the first to stop attempts to install an entire server and a wireless access point into the infrastructure of the city telecom. The team of attacking Vulners wanted to put their piece of iron “into the gap” in order to be able to see the traffic of the defenders and control it through the access point.

02:00

The Jet Security Team's team of defenders prevents multiple attempts to physically connect to the stands of the city’s industrial systems. In addition to the already mentioned commands, the hacker group KanzasCityShuffle was noticed in such attacks.



First day table

Second day: break everything!

Night is the time of hackers, and the attackers proved it. Several teams stole more than 4 million pubs from a city bank. For the attack, the Rdot and CARK teams used previously stolen user credentials, which gave them the opportunity to operate the remote banking service system to withdraw large amounts of money (2.8 million - Rdot, 1.3 million - CARKA).

At the same time, CARK took advantage of the vulnerability of the bank itself to steal all the money from the account of the Rdot team. However, they violated the Confrontation rule - not to break the “Confrontation” infrastructure, of which the bank is a part (it is used to give prizes to teams). For this reason, the money was returned to the Rdot team.

In the meantime, the Vulners team applied another method: a special robot began to withdraw small amounts (10 rubles each) from a number of compromised bank cards of city residents. A similar attack was carried out by the group Hack.ERS.
In reality, such attacks would be more invisible than the one-time theft of a large amount. However, this method takes time, but in this case it was not enough, and it was not possible to withdraw a lot of money.

But the total theft from a bank of more than 4 million (more than 50% of the money of our town) led to a real economic crisis - the organizers had to issue an additional issue and denomination.

In the morning continued attacks on the telecom. The Antichat team was able to crack the Asterisk web management interface (VoIP telephony server) and get all usernames and password hashes. But this activity was quickly discovered by defenders of telecom, and immediately blocked access to the web interface to prevent attacks.

12:00

Hackers got to the industrial sector: the BIZone team stopped the work of two enterprises of the city at once - the thermal power station and the oil refinery. This was done thanks to an attack via a Wi-Fi network, where the vocabulary password was used. Having gained access to the industrial network, hackers discovered in it the relay automation systems (RZA), which are used to protect the electrical part of the CHP. After spending an hour trying to reconfigure this equipment through engineering software, the hackers decided to change the attack vector. Having picked up the necessary energy protocol and downloading other engineering software, they were able to turn off the power supply to the substation. As a result, the engineering staff working at the CHP had to stop the operation of the boilers and the turbine. A complete (albeit temporary) shutdown of the CHP also affected the functioning of the refinery: distillation columns at the AVT were left without superheated steam.

Thus, one vocabulary password on Wi-Fi allowed the BIZone team to deactivate two industrial facilities at once - and get to the first place in the rating. Alas, nobody protects the energy sector of the city. Therefore, attacks on industrial facilities can continue.



CHP shut down, last smoke

13:30

It's getting hot! The CARK team again stole several million from the bank - and again went to the top. How did it happen? During the maintenance work, when connecting the anti-fraud system, the organizers had to leave the bank defenseless for just a minute. And it was precisely at this time that COLK managed to withdraw a lot of money. There is a skillful use of automation!

3:30 pm

CARK and BIZone continue the battle for first place. A team from Kazakhstan was able to find the car of criminals with stolen money. Using the osmocom-phone, hackers intercepted SMS sent by the car's GPS tracker. Thus, they calculated a “white number” from which the GPS tracker can be controlled, then replaced the number and sent a command to the tracker to give out the coordinates of the car.

At almost the same time, the BIZone team was again able to stop the refinery. Previously, they had already done this through an attack on an electrical substation and a CHP plant - but in this case a direct attack was made on the plant. First they attacked the Wi-Fi of the plant (password guessing), then they penetrated the plant’s network and found out which controllers are used in production. Having studied the information on the found PLCs on the Internet, the attackers found a known vulnerability (exploit) and made the controllers stop on AVT, as a result of which the installation remained for some time without control and monitoring.



Oil Refinery (fragment)

4:00 pm

"Confrontation" is over. But the jury still checks the last completed assignments: in addition to the already mentioned leaders (CARK and BIZone), other teams also conducted several successful, but not such “expensive” attacks in the last hour of the competition.

So, the Hack.ERS team was able to steal money from SIP telephony users: hacking their accounts, hackers were “monetized” using calls to paid short numbers. However, the attackers discovered this possibility only at the end of the contest, so the withdrawn amount of money (about 300,000) did not allow them to rise to the leaders.

And the True0xA3 team in the final minutes of the competition proved that even simple methods can lead to tangible results. Having cracked the home router of one of the ordinary users, the attackers discovered that it is an accountant who stores the financial statements of a large company on his home computer. The attack brought the team 500,000 posts.

It also became known that the KanzasCityShuffle team hacked the smart home, and the Antichat team got access to the webcam. In addition, some teams found and passed a number of other serious bug bounty vulnerabilities. Therefore, verification of all tasks takes place within two hours after the end of the battle.



Smart home model (fragment)

Results: where is the defense?

The first three places in the competition were taken by CARK , BIZone and Rdot.org . The final rating can be found here . In general, hackers this year have shown themselves in all their glory, using a very wide arsenal of means of reconnaissance and attack in a relatively short time.

Surely many will have a question: where were the defenders, how did they all allow it? It is worth explaining here that in preparing the current “Confrontation”, the organizers took into account the problem of the past year, when the defense turned out to be too prepared and “twisted all the nuts”, although this rarely happens in real life. Therefore, in the current competition, the defense was not so much weaker, but more realistic. In particular, defenders were put in tough conditions of a crisis reduction in security costs: each team had a fixed budget for the purchase of protective equipment in the amount of only 10,000 virtual pubs. In addition, some facilities and infrastructures are completely unprotected - as is the case in real life.

“In the case of attacks on GSM, the defenders could not influence in any way, however, they could see what was happening,” said Pavel Novikov, head of the telecommunications security research team at Positive Technologies and one of the organizers of Opposition. - We gave them a radio broadcast dump, but they found nothing. In addition, according to our idea, advocates could prevent the withdrawal of money through SIP. Perhaps they were confused by our checkers who diligently generated voice calls: at each time point there were 5–10 simultaneous voice connections, among which it was quite difficult for defenders to consider hacker activity - but this is exactly what happens in the real world. The second possible reason was too late the attackers of this method of withdrawing money, and the defenders did not have time to react either. On the other hand, defenders of the telecom managed to prevent the hacking of the Asterisk server. Their extremely high efficiency in this matter should be noted. ”

Ilya Karpov, a security expert at the automated process control system, who organized the stands of industrial facilities for Opposition, also noted that in the event of an attack on a refinery, the defenders did everything they could do under such conditions: “The attack occurred very quickly, detected suspicious traffic on the network I didn’t allow the defenders to immediately respond to the incident, but allowed them to stop the repeated attempts of attacks, changing the passwords quickly. ”

According to the frontman of “Confrontation”, a member of the PHDays organizing committee, Mikhail Levin, this year the contest was really successful, and the “hacker revenge” took place not in words but in deed: “All participants were filled with the spirit of competition and gave it all to 100. We were once again convinced That such a cyber battle format is interesting for both participants and viewers. And the most important thing is that the event allows the general public to pay attention to the problems of information security. ”

Impressions of the participants

All that is written above is a glance at the competition from the side of the organizers. And now let's hear what the participants themselves think about the “Confrontation” - the leading teams of the attackers, as well as representatives of the defense.



Team COLK (forwards):

“The impressions are very good. In fact, we did not even expect victory: for us it was the first participation in the “Confrontation” itself, and therefore we went to take part. And it turned out to win in the end. The most courage we caught at the end of the first day, when we managed to take first place. We didn’t want to go downstairs, and we decided to hold our place at night with the whole team. In some moments, we were very lucky - especially when we got on the second day in a five-minute window, when the Bank started working, which enabled us to steal money from citizens once again. Tugovato happened with hacking SCADA-systems, but the attack on GSM compensated for it.

We got a good experience and tested the team in a stressful state, when you need two days to figure out the systems and have time to hack them. Our big plus was that the team members specialize in various directions (GSM, reverse, etc.). Some teams only had a landmark on the attack via the Web, for example. ”

Team BIZone (forwards):

“We were the first to pass a large task, due to which we held leaders for a long time, and it seemed to us abnormally easy: after all, far more complex vulnerabilities (RCE, XXE) in the bug-bounty program“ Confrontation ”were awarded much less points.

We can not fail to note the physical attack made on us: at about three in the morning, we lost access to the entire gaming infrastructure, except for the personal account. Having received the answer that problems in one of the switches, many members of our team went to bed, but in the morning the situation did not change, and we decided that everyone had problems and switched to services with physical access SCADA and IoT. However, at about 2:00 pm, it turned out that only we had such serious problems, and an investigation carried out together with the organizers showed that the twisted pair cable, through which the access to the internal network went, had been tipped to the wrong port on the switch. As a result, for almost 12 hours we did not have access to the main gaming infrastructure.

We were also very surprised when in the morning the number of points of all the teams was multiplied by 10 (the denomination caused by the fact that too much money was taken from the bank). And when our team decided the next day the tasks that were estimated at 800,000 PUB on the first day, 8,000,000 PUB on the second, and as a result, 2,000,000 were transferred to us, we were even pleasantly surprised in principle, although then we realized that we had enough points for first place. But how many such opaque animations were produced, it is still interesting. ”

Team Rdot.Org (forwards):

“The impressions are better than last year, because the organizers tried to correct the imbalance in favor of the defenders and make the tasks more concrete. However, the format of the competition is still too complex, and it cannot be fully implemented. In particular, the availability of services was low. It can be seen that the tasks have been prepared interesting and diverse, but because of the imperfection of the format of the competition, it is not possible to deal with them closely. No wonder the CTF format has been verified over the years, as the most concise and practical form of competition. ”

Jet Security Team (defenders):

“For the first time, we (both the team and the class of solutions - and we are not the classic defense team or SOC) participated in the“ Confrontation ”. And, of course, impressions exceeded expectations. Now we can admit that our participation caused some skepticism, first of all, among ourselves: a new decision, a new format ... But the results speak for themselves.

It is a pity that the format of the event did not allow us to respond to nightly hacker attacks: on the first day, our antifraud solution was only in the monitoring mode and notifying the organizers about the situation. But the next day the task “not to withdraw a substantial amount of funds” was solved by 110%. In addition, we managed, perhaps, the most important thing: we checked our readiness to solve potential urgent tasks with limited resources and time. And also got a few ideas on the development of our product Jet Detective in terms of ease of use.

It's a shame that in a small amount of time of our active work, the attackers did not have time to significantly try to circumvent our analytical system (and there were enough options for a more "difficult game" for the attackers). Yes, and some tricks and traps prepared by us, though worked, but to apply their results was not necessary.

Nevertheless, I want to say that we are preparing for the next year. And we are confident that in 2018 the attackers will not have such a simple life as on the first day. We hope that we are waiting for 30+, and maybe 60 hours of real “Opposition”. ”

SPAN (defenders, national team companies "Servionika" and Palo Alto Networks):

““ Confrontation ”can be compared with a typical project for building an integrated information security system. As in a real project, we went through the stages of auditing, architecting, selecting the necessary methods and means of protecting information, coordinating all changes with the organizers, implementing and configuring, testing and operating the selected means of protection in “combat” conditions. In general, we focused on a thorough, detailed audit of changes in network infrastructure and gaining complete control over network traffic. Recent developments have influenced our strategy and choice of security system configurations: the wave of exploit publications published by The Shadow Brokers and the emergence of the world-famous WannaCry virus.

To achieve this goal, we chose a number of solutions from companies such as Palo Alto Networks (NGFW), Positive Technologies (PT Application Firewall, MaxPatrol8), SkyBox Security (NA, FA, VC, TM). Protection of endpoints (host machines) running Linux and Windows was implemented based on the Traps (Palo Alto Networks) and Secret Net Studio solutions of Security Code, as well as built-in OS protection mechanisms. This allowed us to prevent the use of known exploits.

It should be noted that the office infrastructure was attacked continuously, and at night as well. We saw attackers discover vulnerable services and start looking for vulnerabilities in them. They attacked quite standardly, like on courses: they tried passwords, searched for exploits on the Internet and tried to use them against servers and routers. We saw each connection and logged it. The most active attacks on the DMZ were from 0 to 4 am. Then, at 6 am, the attackers switched to the server segment within the office network. Well, also, do not pitch either to find passwords, or to find SQL Injection, or XSS, or something else. ”

SOC "Perspective Monitoring":

“It was an excellent training ground for testing various monitoring scenarios. Unfortunately, we faced technical difficulties and were able to get traffic to our sensors only by 19 o'clock on the first day of the “Confrontation”. We received traffic and events, saw attacks and attempts to exploit vulnerabilities, but they were all blocked quite simply. We managed to build a good working relationship with a team of advocates, they tried to respond promptly to information from us.

The most unpleasant surprise - all the attacks were very typical, there was no zest, so that all participants could say: "Yes, that was cool." Forwards either did not want to share secrets, or they did not have enough time.

The main conclusion of the game: even if everything works for you the day before “Confrontation”, this does not guarantee work on the day of “Confrontation” itself. But seriously, we checked our methods and the team in the case and came to the conclusion that we had achieved some success both there and there. It is very happy. Although there was not enough sharpness in the presentation of information, visualization. ”

SOC “False Positive” (Solar JSOC team, caring friends and SOC Russia builders):

“The impressions are positive. Like any large-scale event, PHDays 7 was not without overlays, but in general, the level of organization and the inspiration of the participants were very impressive. For us, this event was another opportunity to test the effectiveness of our content in even synthetic, but, nevertheless, interesting working conditions against professional pentesters. Last year, we concentrated on network scenarios and successfully tested them, in this we redirected to work with hosts.

Unfortunately, the name “Enemy from the Inside” did not fully justify itself, since there was not very much social engineering and other delights of the new corporate security. Nevertheless, we consider the experience to be useful for the information security community in terms of verifying their own forces by both the attackers and defenders and the SOC.

Of course, in such a large-scale project it is necessary to treat the balance of forces very carefully. At this event, the Bank became the most desirable target for attackers, which, unfortunately, reduced their level of attention to other protected infrastructures. Next year, I would like to see even more fire and hardcore. ”

PS For those who were too keen on hacker contests and did not have time for PHDays VII reports, we remind you that most of the reports can be viewed in the record. On the right side of our player there is a menu where you can select the section you are interested in:
www.phdays.ru/broadcast .