Opposition 2019: Jet Security Team ranked first in defense

For the third year in a row, the strongest security experts from Jet Infosystems took part in The Standoff at PHDays. Our Jet Security Team and Jet Antifraud Team fought shoulder to shoulder: the cyber battle lasted non-stop for 28 hours! According to the results of the “Confrontation”, our defenders became the best, not allowing the attackers to “hack” the whole city!

This year, the “Confrontation” was quite large: 18 attacking teams (more than 250 people!), 5 classic defense teams, an antifraud team and 3 SOC.

For 28 hours, the attackers attacked the virtual infrastructure (what else they will write in detail on Habré). Both common exploits and 0-day infrastructure vulnerabilities were detected. Advocates quickly identified attacks and patch vulnerabilities on the fly.
')


The attackers were not limited to this, using social engineering techniques for landing defenders to the rear:



The struggle was very tense, any technical and analog means were used:





Despite this, the Jet Security Team and the Jet Antifraud Team adequately withstood the attacks, and the hackers could not pick up a single “pub” from the bank - units of virtual currency.

Jet Security Team won a victory among the teams of defenders, steadfastly reflecting the numerous attempts of the attackers to break the infrastructure of the office of the sea transport company entrusted to it. For the first time, the team included specialists from the Jet CSIRT IS monitoring and response center, who closely followed each incident and blocked any threats in a timely manner.

For defenders, the event format has changed a bit. If earlier everyone had different protection objects (telecom, office, automated process control system) and it was difficult to compare them directly, now the organizers have prepared practically identical infrastructures for all teams of defenders and introduced a single rating. This definitely added a drive and stimulated our team to win.

For us, the object of protection has changed. If earlier it was a process control system, and the conditional “attack surface” was small, now we defended the office. There was Exchange with OWA, a VPN server, a terminal server exposed outside, many web services, telephony, and so on.
By tradition, access to the object of protection by the organizers is provided at the end of April. This year access was granted on April 26th. Also, by tradition, a moratorium on the work of advocates is usually introduced about a week before the “Confrontation” itself. Accordingly, the protection team usually has a little more than 2 weeks to study the object, develop a protection strategy, deploy SZI, set up, debug, etc. Taking into account the May holidays, pre-scheduled vacations of the team, this also added a drive and stimulated us to victory.

Ilya Sapunov, captain of the Jet Security Team.

Under the terms of the competition, the Jet Antifraud Team was not rated among the classic teams of defenders due to the peculiarities of the anti-fraud decision. Colleagues outside the competitive program once again showed the highest class of bank protection in the virtual city F, without missing a single attack from the attackers!

This year, attackers have become less active, but more thoughtful. The attackers stopped sending a large number of operations at random, picked up a lot of passwords, defended the stolen accounts, tried to disguise their operations as banking robots. However, this did not bring total success, and they did not even try to withdraw money through other services, such as telecom.

Alexey Sizov, captain of the Jet Antifraud Team.

The attackers had a hard time, but, despite the complex vulnerabilities and opposition from the defense, they showed a decent result:

The day began with the fact that at 9.45 the scans of MassScan were distributed to us. This marked the start of our work, we immediately wrote out all the hosts with an open 445 port and at exactly 10.00 we launched the already ready meta-exploit checker for MS17-010. In the bigbrogroup.phd network, there was one vulnerable host, in the first 10 minutes we exploited the vulnerability, fixed it, stuck in the system and received a domain administrator token. In this domain, as in all the others below, the reversible encryption option was enabled, which allowed us to pull out all the passwords from ntds.dit and pass them on to check.

Further at 18.00, we gained access to the CF-Media domain by exploiting a vulnerability in Nagios and rising through the unquoted path in one of the sudo scripts. After that, using password reuse, we got a local administrator on one of the domain computers CF-Media. The further path of operation was similar to the first domain.

At night, we were able to understand the principle of operation of several automated process control systems, and this allowed us to seize control of 2 points and perform 2 tasks in the production segment. In particular, we turned off the exterior lighting and arranged oil leaks from the storage tank. We also installed a miner on all servers and workstations controlled by us, totally our botnet consisted of about 30-45 hosts. All this time we were simultaneously breaking down the protected segments, but every time as soon as we received RCE, the defenders simply dropped the service and did not pick it up anymore.

At 12.15, we were announced the results of OSINT and distributed several domain accounts. Part of the defenders at this point simply dropped OWA and VPN. Some tried to really protect their services. One of these companies was behealty, whose advocates allowed us to connect via VPN and exploit MS17-010. And in the domain, to our surprise, there was again reversible encryption. The result is another +1.1 million posts and a confident victory in the competition.

Vitaly Malkin, head of security analysis department of Informzaschita, captain True0xA3 (the winners from the attackers promised to write a detailed analysis of the competition, wait on Habré).

From myself I want to note that the struggle was serious, literally until the last hours the intrigue remained - the teams of the CARK and SNIFF & WATCH did not allow the winners to relax, and any trifle or “Joker” could affect the result.

It was an epic battle, and I am pleased with the well-deserved victory of my colleagues.