December 16, 2016

Cobalt: How Criminals Hacked ATMs

Image: redspotted | Flickr

Following an extensive investigation, cyber security company Positive Technologies has today revealed how hackers were able to steal the equivalent of £28,000 ($35,000), overnight, from six ATMs of an Eastern European bank. Its findings confirm that the theft could have been far worse as the technique used in the scam fortunately "clashed" with the financial institutions existing NCR ATM software, preventing the attackers from withdrawing further funds. It also warns that it’s likely that this group will soon become active in the West.

November 2, 2016

Protecting the Perimeter: Old Attacks Work Just as Well as New Ones

When we think about external threats to information security, often our first thoughts are of hacker attacks on the network perimeter—say, advanced persistent threats (APTs) targeting large companies and governments. One example is the compromise of the Equation Group with publication of some of the group's tools for breaching the network perimeter. But as it turns out, many of the exploits have been known for a long time, although the “cherry on the cake” was a zero-day vulnerability for SNMP services (with SNMP standing for “Security Not My Problem”). While we do not have a full list of the compromised exploits, we can start with the other end of the equation by evaluating the state of protection of corporate perimeters with the help of real-world vulnerability statistics.

One such study was presented at PHDays VI as part of Positive Research 2016. The sample spanned approximately 10,000 accessible addresses and 15,000 vulnerabilities over a two-year period (2014–2015). Note that these numbers include ONLY network perimeters with above-average security. Only companies with asset inventory and vulnerability management processes (which, in turn, enable collecting statistics) were included.

Let's start with the “sexiest” morsel from the published exploit pack: the SNMP 0-Day. Is this something to be worried about? Our study shows that the answer is “yes”. A few reasons:

October 7, 2016

Industrial Control Systems 2016 Report: Connected and Vulnerable

Industrial control systems (ICS) are part and parcel of everyday life, from smart homes to nuclear power stations. ICS bridge the gap between the digital world and the physical world by interpreting the commands that control turbines, switches, valves, and more. Because these systems are complex, critical to infrastructure, and often Internet-connected, they make a very tempting target for hackers.

The number of vulnerable ICS components grows every year. Nearly half of the vulnerabilities identified in 2015 are high-risk – and the majority of vulnerabilities were found in the products of the most well-known vendors. Widespread poor security practices, such as default passwords and dictionary-guessable passwords, make it easy for outsiders to access the systems and gain control.

These are the sobering conclusions of research by Positive Technologies, which analyzed data on ICS vulnerabilities from 2012 to 2015, as well as information on the Internet availability of ICS components in 2015. Below is a summary of the findings.

September 8, 2016

Online Banking Vulnerabilities: Authorization Flaws Lead the Way

Online banking (OLB) systems are publicly available web and mobile applications, so they suffer from vulnerabilities typical of both applications and banking systems. Bank-specific threats include theft of funds, unauthorized access to payment card data,  personal data and bank secrets, denial of service and many other attacks that can trigger significant financial and reputation losses.

This report synthesizes statistics that were gathered during OLB security audits performed by Positive Technologies in 2015. Comparison with the results obtained in 2013 and 2014 vividly illustrates the dynamics of information security development in modern OLB systems.

August 31, 2016

Attacking SS7: Mobile Operators Security Analysis

The interception of calls is quite a challenging task, but not only intelligence services can pull it off. A subscriber may become a victim of an average hacker who is familiar with the architecture of signaling networks. Commonly known SS7 vulnerabilities allow for the interception of phone calls and texts, can reveal a subscriber’s location, and can disconnect a mobile device from a network.

In 2015, Positive Technologies experts conducted 16 sets of testing involving SS7 security analysis for leading mobile EMEA and APAC operators. The results of the top three projects are included in the statistics below. In this article, we will review the security level experienced by mobile network subscribers, as well as all industrial and IoT devices — from ATMs to GSM gas pressure control systems, which are also considered mobile network subscribers. This article describes detected issues and suggests ways to counter threats.

August 25, 2016

Pattern language for a universal signature-based code analyzer

The process of signature-based code analysis in PT Application Inspector is divided into the following stages:
  1. Parsing into a language dependent representation (abstract syntax tree, AST).
  2. Converting an AST to a language (agnostic) unified format.
  3. A direct comparison with patterns described in the DSL.

The present article focuses on the third stage, namely: ways of describing patterns, development of a custom DSL language, which allows to describe patterns, and patterns written in this language.

August 23, 2016

Web Application Vulnerabilities-2016: Users Unprotected

Modern web technologies allow businesses to solve organizational issues cost-effectively and efficiently and demonstrate their services and products to a wide range of audiences through the Internet. However, attackers may exploit websites as an easy access point to company infrastructure. This can cause financial and reputational damage, and despite well documented incidents involving compromised security, developers and administrators still pay little attention to the security of web applications.

Positive Technologies experts examine around 300 web applications each year using various techniques from instrument to source-code analysis. This report provides a summary of statistics and findings gathered during penetration testing of web applications in 2015. It also compares 2015 results to those in 2013 and 2014 and tracks the dynamics of web application development in the context of delivering information security.

July 27, 2016

Tree structures processing and unified AST

The previous article in this series discussed the theory of source code parsing in ANTLR and Roslyn. The article pointed out that a signature-based code analysis in PT Application Inspector is divided into the following stages:
1.        Parsing into a language dependent representation (abstract syntax tree, AST).
2.        Converting AST to a language independent unified format (unified AST, UAST).
3.        A direct comparison with patterns described in the DSL.
The current article focuses on the second stage that includes AST processing using Visitor and Listener strategies, converting AST to a unified format, simplifying an AST, and the algorithm for matching tree structures.


          AST Traversing
         Visitor and Listener
         Grammar and Visitor in ANTLR
          Types of nodes in a unified AST
          Testing of converters
          Simplifying an UAST

July 19, 2016

A Positive Technologies Expert Helped to Protect ABB Digital Substations from Cyberattacks

Image credit: ABB    

 ABB, a Switzerland-based company that produces software for control systems in the energy industry, has acknowledged that its PCM600 suffers from four vulnerabilities related to insecure password storage. The one who detected and reported them to the vendor was Ilya Karpov, an ICS security expert from Positive Technologies.

As noted in the ICS-CERT advisory, the ABB engineer software for industrial automation management (protective relay, IED) is deployed in electric power substations around the world. PCM600s up to and including version 2.6 suffer from the vulnerabilities found by Ilya Karpov. Exploiting these flaws allows a low-skilled attacker or malicious software access a local machine that has ABB's PCM600 installed, reconfigure a project or obtain critical information to leverage read and write access via OPC.

June 24, 2016

Antivirus As a Threat

Many people do not consider antivirus tools to be a threat. Antivirus software is frequently considered a trusted application; it may cause the reduction of information system efficiency, but provides protection against different types of attacks. As a result, antivirus can be the sole protection tool for the end-user while a set of antivirus software becomes the principal security method for enterprises.

However, as with any complicated programs, antiviruses are inherently vulnerable. Antivirus processes are trusted and run in privileged mode with extensive access rights and that makes antiviruses appealing for attackers, as their exploitation can lead to system compromise.
Currently, more attention is paid to vulnerabilities of protection software and antiviruses in particular. The swelling numbers of exploits found and published in exploit-db and other resources indicate that this is a growing problem.

The chart above demonstrates the number of vulnerabilities found yearly in well-known antivirus software for the last 15 years. In the 2000s, information about antivirus vulnerabilities was published rarely, but in 2015, more than 50 exploits based on such critical vulnerabilities in antiviruses as authentication bypass, privilege escalation, and remote code execution were published.

June 20, 2016

Theory and Practice of Source Code Parsing with ANTLR and Roslyn

PT Application Inspector provides several approaches to analysis of the source code written in different programming languages:
  • Search by signatures.
  • Exploring the properties of mathematical models derived from the static abstract interpretation of code.
  • Dynamic analysis of the deployed application and verification of the static analysis results.
This series of articles focuses on the structure and operation principles of the signature analysis module (PM, pattern matching). The key benefits of such an analyzer include high performance, simplicity of pattern description, and scalability across various languages. The disadvantage of this approach is that the module is not able to analyze complex vulnerabilities, which require developing high-level models of code execution.

The following requirements have been defined for the module under development:
  • Capability of working with multiple programming languages and the option to add new ones easily.
  • Functionality that allows analysis of the code containing syntactic and semantic errors.
  • Capability of describing patterns using a common programming language (DSL, domain specific language).
In this case, all the patterns describe flaws or vulnerabilities in the source code.

June 9, 2016

PHD VI: How They Stole Our Drone

This year, a new competition was introduced at PHDays, where anyone could try to take control over a Syma X5C quadcopter. Manufacturers often believe that if they implement a wireless standard instead of IP technology, they may not think about security. As if hackers would give up because dealing with something other than IP is too long, difficult, and expensive.

But in fact, SDR (software-defined radio) is an excellent way to access the IoT, where the initial level is determined by the level of an IoT vendor’s care and concern. However, even without SDR you can work wonders, even in the limited space of frequencies and protocols.

The contest goal is to take control over a drone.


  • drone control range: 2.4 GHz ISM,
  • control is driven by the module nRF24L01+ (actually, by its clone — BK2423).

Facilities (optional): Arduino Nano, nRF24L01+.

The hijacker received the Syma X8C as a prize.

Since those who wanted to steal our drone were trained people who had HackRF, BladeRF, and other serious tools in their arsenal, we describe two hijack methods: via SDR and nRF24L01+.

PHDays VI: WAF Bypass Contest

The WAF Bypass competition, now an annual event held during Positive Hack Days, an international forum on information security, was organized in May this year as well. The contest’s participants attempted to bypass the security checks of PT Application Firewall that protected vulnerable applications. Positive Technologies specialists had introduced configuration errors that allowed some bypassing of the system.

The goal of each task was to retrieve a flag stored in a database, file system or in cookies given to a special bot. Below is description and solutions of the contest’s tasks.

May 5, 2016

“Squoison” Attack: High-severity Vulnerability in Squid Proxy Server Allows Cache Poisoning

Jianjun Chen, a postgraduate student at Tsinghua University, discovered a critical vulnerability in the popular Squid proxy server.  He found that the system fails to conform to the RFC 7230 standard and is not capable of parsing/processing the Host header in HTTP requests properly. This allows attackers to conduct a Cache Poisoning attack using a specially crafted malicious packet.

March 31, 2016

From Telemetry to Open Source: an Overview of Windows 10 Source Tree

There is a lot of internal information available about Microsoft software, despite the fact that it is closed-source. For example, export of library functions by names, which provides some information on the interfaces used. Debugging symbols used for troubleshooting of operating system errors are publicly available; however, there are only compiled binary modules at hand. In this article, we will try to determine what they looked like prior to compilation using only legal methods. 

February 24, 2016

Decipher Updates of a Popular 4G Modem: Dmitry Sklyarov’s Method

What could a reverse engineer do if trying to examine device code he couldn’t find anything except encrypted firmware files? Here is a real story how to meet the challenge with basic knowledge of computer science and mere logic.

We do not specify the modem vendor or exact names of the files deliberately — this article focuses on the challenge and an interesting approach to the solution. This method is not applicable to the latest models of the modem, but it might work with older ones and other vendors.

February 4, 2016

PayPal Remote Code Execution

In December 2015, I found a critical vulnerability in one of PayPal business websites ( It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe Java object deserialization and to access production databases. I immediately reported this bug to PayPal security team, and it was fixed promptly.

January 22, 2016

FreeBSD Remote DoS Exploit (Demo) (CVE-2016-1879)

The FreeBSD team has announced their operating system was detected to contain critical vulnerabilities that could be exploited to conduct DoS attacks, escalate user privileges, and disclose important data.