December 2, 2015

Critical Vulnerabilities in 3G/4G Modems or how to build Big Brother

This report is the continuation of "#root via SMS", a research made by the SCADA Strangelove team in 2014. It was devoted to telecommunications equipment vulnerabilities with modem flaws only partially covered. This document describes vulnerabilities found and exploited in eight popular 3G and 4G modems available in Russia and worldwide. The findings include Remote Code Execution (RCE) in web scripts, integrity attacks, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS).

The research covers a full range of attacks against carrier customers using these types of modems — device identification, code injection, PC infection, SIM card cloning, data interception, determining subscriber location, getting access to user accounts on the operator's website, and APT attacks.

November 18, 2015

Web-application vulnerabilities: no light at the end of the tunnel

There has been significant growth in web applications, from official sites and ERP systems, to e-commerce and e-banking platforms, and portals providing government services. These applications have increasingly become a target for hackers attempting to target enterprise information systems. Positive Technology conducted a study in 2014 to assess the state of web application security. The key findings are discussed below.

October 30, 2015

HackerSIM: Blamestorming

Recently, there have been a lot of articles about a SIM card that has some incredible features. This topic sparked a lively discussion full of skepticism and mind-blowing theories. Let's lift the veil on some technical aspects of this story. Of course, we wouldn't be able to carry out the tests without the SIM card provided by @MagisterLudi.

A short resume for those who don't want to read the whole review:
  • There is no forced encryption, protection from intercept complexes, connection to a base station with the second strongest signal, IMSI and location hiding.
  • There is phone number substitution, voice substitution, and billing.
Let's take a closer look at each of these features.

October 22, 2015

Vulnerability Assessment According to CVSS 3.0

We have been using this assessment system since we created our vulnerability base and developed our first product, XSpider (I hope there are some who remember it). It is very important for us to maintain the knowledge base that we use in our products and services and keep it up-to-date. Since the guidelines to CVSS metrics do not cover all the possible vulnerabilities, the question arises: what is the best way to make the index reflect the real severity level of a vulnerability?

We are constantly monitoring the development of the standard, so we have been waiting for the final version of CVSS. When I opened the specification, I wanted answers to the following questions. What was improved? What exactly was changed? Can we apply the new standard to our products? And — considering the fact that the database is often managed by new specialists — how much time do you need to master the assessment procedure? And how clear are the criteria?

This article appeared in the course of studying the standard and will, hopefully, help you to understand the new vulnerability assessment procedure.

October 12, 2015

Industrial control system security in 2014: trends and vulnerabilities

In recent years, the industrial control systems (ICS) have become a popular target for malicious users and cyber criminals. The Stuxnet (2010) and Flame (2012) worms were replaced by more complicated malware and sophisticated attack schemes in 2014. For example, hackers spread the Havex Trojan horse by injecting malicious code into SCADA software on vendors' websites. This malicious software was then downloaded in factories, so that attackers could obtain administrative access to industrial control systems in several European countries.

In 2012, specialists from Positive Technologies published a research paper entitled "SCADA Safety in Numbers". The current report is an update on that paper through 2015. Key trends in ICS security are listed below:

October 2, 2015

Positive Technologies Experts Detect Critical Vulnerability in Huawei LTE Modems

Huawei thanked the Positive Technologies experts Timur Yunusov and Kirill Nesterov and the information security specialist Alexey Osipov, who detected a harmful vulnerability in Huawei 4G USB modems (E3272s) and helped to fix it.

Upon the research, the Chinese telecommunications equipment company issued a software update for the device.

According to the Huawei PSIRT bulletin, a potential intruder can block the device by sending a malicious packet. The Positive Technologies researchers claim that the vulnerability may lead to a DOS attack and remote arbitrary code execution via an XSS attack or stack overflow.

September 2, 2015

Key Vulnerabilities in Corporate Information Systems in 2014: Web Applications, Passwords and Employees

From 2013 to 2014, there was an increase in the vulnerability of the information systems of large enterprises. In about 60% of system attacks, the network perimeters were penetrated via web application vulnerabilities. Additionally in 2014, there was decreased awareness among employees regarding security issues, as they were more likely to follow unverified links and open files attached to e-mails from unknown sources.

These findings are outlined in detail in Positive Technologies’ 2014 penetration testing results publication and contrast significantly from the 2013 findings. The penetration testing simulates a hacker attack and provides a more realistic assessment than traditional auditing techniques alone.

August 21, 2015

Positive Technologies helps to eliminate critical vulnerabilities in Siemens and Schneider Electric SCADA systems

Ilya Karpov, a Positive Technologies expert, detected vulnerabilities in products intended for building automation systems in various industries — from petrochemical to power plants.

Ilya found a problem related to clear-text password storage in Schneider Electric systems — InTouch Machine Edition 2014 (version 7.1, Service Pack 3, Patch 4) and InduSoft Web Studio (, as well as in their previous builds. The vulnerability that got the CVE-2015-1009 identifier and 6.4 base mark though cannot be exploited remotely requires only a low-qualified internal attacker.

August 14, 2015

The eagerly awaited Gartner Web Application Firewall Magic Quadrant is released

For the first time our application firewall product, PT AF™, has been named a ‘visionary’ in the Gartner "Magic Quadrant for Web Application Firewalls" report. We are ecstatic that Gartner recognized Positive Technologies for its ability to innovate and outperform in the WAF market particularly as we are a new entrant to this Magic Quadrant. It is very rewarding to be recognized for a compelling vision and credited with demonstrating a strong capability to protect business applications, notably SAP.  We are delighted that the Gartner report also noted that our partners and customers speak highly of both our responsiveness and of the quality of our technical support as looking after our customers is key to our overall company vision and core to everything we do.

July 22, 2015

Digital Substation Takeover: Contest Overview

Digital Substation Takeover, presented by iGRIDS, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system.

Best Reverser Write-Up: Analyzing Uncommon Firmware

While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.

July 6, 2015

The MiTM Mobile Contest: GSM Network Down at PHDays V

Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.

July 3, 2015

PHDays V Highlights: Signs of GSM Interception, High Time to Hack Wi-Fi, Future of Encryption

Technological singularity is expected in 15 years at best, but Positive Hack Days transition is happening right now. The fifth forum had a record attendance – over 3,500 visitors, which is comparable to the leading international hacker conferences, and the number of talks, sessions, and various activities surpassed one hundred. The incredible and exciting contests involved hacking spaceships, power plants, ATMs, and railway companies. More Smoked Leet Chicken became the winning champion of this year’s CTF, showing their best at stock exchange speculation. Congratulations! A detailed write-up about that is coming soon. Right now let’s focus on a number of recommendations and tips that impressed us most of all during the 2-day hacker marathon that took place in World Trade Center on May 26-27.

June 3, 2015

WAF Bypass at Positive Hack Days V

As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.

May 22, 2015

Online banking vulnerabilities in 2014: Authentication, Authorization and Android

Today the security for online banking (OLB) is insufficient. High severity vulnerabilities in the source code and multiple flaws in authentication and authorization mechanisms of systems allow remote attackers to execute unauthorized transactions or take complete control of an affected system. This has the potential to cause both financial and reputation damage.

In this article we present some results of the research on OLB vulnerabilities discovered by Positive Technologies experts in 2013 and 2014 in the course of security assessments for a number of the largest Russian banks.

May 19, 2015

Schneider Electric Thanks the Winner of the Positive Hack Days Hacker Contest

Early April, Schneider Electric has released several updates and patches fixing vulnerabilities in the software used for creating SCADA and HMI systems at nuclear power plants, chemical plants and other critical units.

The vulnerabilities which even a novice attacker could exploit were found in InduSoft Web Studio, InTouch Machine Edition 2014 as well as previous versions of these products. Among bugs fixed — arbitrary code execution and non-encrypted storage/transfer of sensitive data. The vendor recommends downloading the new patches as soon as possible.

Ilya Karpov and Kirill Nesterov, Positive Technologies researchers, detected the vulnerabilities during an ICS security analysis. Meanwhile, many bugs in those products were independently revealed by the participants of the Critical Infrastructure Attack contest held in May 2014  at the international infosec conference Positive Hack Days IV.

February 16, 2015

The research: Mobile Internet traffic hijacking via GTP and GRX

Most users assume that mobile network access is much safer because a big mobile-telecoms provider will protect subscribers. Unfortunately, as practice shows, mobile Internet is a great opportunity for the attacker.

Positive Technologies experts have detected vulnerabilities in the infrastructure of mobile networks, allowing an attacker to intercept unencrypted GPRS traffic, spoof the data, block the Internet access, and determine the subscriber's location. Not only cell phones are exposed to threats, but also special devices connected to 2G/3G/4G networks via modems: ATM machines and payment terminals, remote transport and industrial equipment control systems, telemetry and monitoring tools, etc.

February 6, 2015

How to Protect Yourself From an IE Zero-day Vulnerability That is Threatening Your Website

A new, previously unknown cross-site scripting vulnerability in Microsoft Internet Explorer, which lets remote users bypass the same-origin policy and inject arbitrary JavaScript into HTML pages, was revealed yesterday by

Researchers from published sample exploit code to demonstrate how to hack — Great Britain’s  leading online daily newspaper.  A specially formed link takes users to, followed by the message “Hacked by Deusen”.

Message on website

January 29, 2015

GHOST(dot)WEB: The First Blood

The Positive Technologies researchers report there is a working exploit for GHOST vulerability against the popular phpBB forum. The exploit in gethostbyname function allows an attacker to gain full control over an operating system of the vulnerable server.  PhpBB is a well-known forum tool for websites. A quick Google search shows that this system is currently installed in more than 800,000 websites.

Of course, not all of them are vulnerable to GHOST, as it requires that several factors be taken into account. However, rich mechanisms to maintain host identification allow an attacker to create a specially crafted exploit via http and achieve almost 100% success in conducting this attack.

January 19, 2015

Hacking ATM with Raspberry Pi

First days of new year came with the warning about a new class of ATM fraud named "black box attack". The crooks gain physical access to the top of the cash machine, connect their own computer to the the cash dispenser and force it to spit out cash, Krebs OnSecurity reports. In fact, this technics isn't so new. The Positive Technologies experts Olga Kochetova and Alexey Osipov showed similar attacks on ATM at Black Hat Europe 2014 in Amsterdam.

January 15, 2015

iOS Blocking — Do Not Give In to Cyber Blackmail!

Another scandal beside the one with celebrity nude photo leaks seems to break out soon. Recently, many owners of Apple phones and tablets have faced iCloud account blocking. Accounts are blocked by Apple itself in response to continuous bruteforce attempts. Positive Technologies experts warn you of iCloud blocking attacks conducted for the sake of blackmail and ask to ignore suspicious emails.

Nowadays cybercriminals are very attentive to information security researches — celebrity photos appeared on the Internet right after Andrey Belenko published his report "iCloud Keychain and iOS 7 Data Protection". Following notorious photo publications, Apple restricted the number of login attempts. Once all of them fail, an account gets blocked.

Mobile eavesdropping via SS7 and first reaction from telecoms

Mobile network operators and manufacturers finally said some words about vulnerabilities in the SS7 technology that allow an intruder to perform subscriber’s tracking, conversation tapping and other serious attacks. We reported some of these vulnerabilities and attack schemes in May 2014 at Positive Hack Days IV as well as here in our blog.

In December 2014, these SS7 threats were brought to public attention again, at the Chaos Communication Congress in Hamburg, where German researchers showed some new ways to intercept and decrypt mobile phone calls using SS7. The research have included more than 20 networks worldwide, including T-Mobile in the United States.