July 5, 2019

IronPython, darkly: how we uncovered an attack on government entities in Europe


Hunting for new and dangerous cyberthreats is the job of the Positive Technologies Expert Security Center (PT ESC). In early April 2019, PT ESC analysts detected a targeted attack on the Croatian government. In this article, we will outline what makes this threat so interesting: delivery chain, indicators of compromise, and use of a new post-exploitation framework that to our knowledge has not previously been used by threat actors.

July 2, 2019

IDS Bypass contest at PHDays: writeup and solutions

Positive Hack Days 2019 included our first-ever IDS Bypass competition. Participants had to study a network segment of five hosts, and then either exploit a service vulnerability or meet a particular criterion (for example, send a certain HTTP response) in order to get a flag. Finding an exploit was easy, but the IDS complicated things as it stood between the participants and the hosts, checking every network packet. When a signature blocked the connection, participants were informed via the dashboard. Here are details on the tasks and the ways to solve them.


June 18, 2019

Four ways to phish: how to avoid falling for scammers' bait


Phishing is one of the main cybersecurity threats targeting Internet users. Today we will describe how these attacks work and how not to become a victim.

May 28, 2019

How analyzing one critical DHCP vulnerability in Windows 10 led to discovery of two more

Image credit: Unsplash 
As described in our earlier article about CVE-2019-0726, sometimes a search for details of a known vulnerability leads to discovery of a new one. Sometimes even more than one.

The article touched upon two functions of the library dhcpcore.dll: UpdateDomainSearchOption, mentioned in passing, and DecodeDomainSearchListData which is called by the first function and was described in more detail. As always happens when looking for vulnerabilities, even if the important findings boil down to just one or two functions, there's a lot more code to review first. And occasionally you notice small things which are not relevant to the task at hand, but may have their own significance or may become useful later. Even if you have no time to dwell on them in the moment, your brain still takes note, and they surface again if after a while you get the chance to go back and check your guess.

May 16, 2019

DHCP security in Windows 10: analyzing critical vulnerability CVE-2019-0726

Image credit: Pexels
When January updates for Windows got released, the public was alarmed by news of critical vulnerability CVE-2019-0547 in DHCP clients. A high CVSS score and the fact that Microsoft did not release an Exploitability Index assessment right away, which made it more difficult for users to decide whether they needed to update their systems immediately, stirred up the heat. Some publications even speculated that the absence of the Exploitability Index pointed to the appearance of a usable exploit in the near future.

Solutions such as MaxPatrol can identify which computers on a network are vulnerable to certain attacks. Other solutions detect such attacks. For these solutions to work, both the rules for identifying vulnerabilities in products and the rules for detecting attacks on those products need to be described. This, in turn, will be possible if for each separate vulnerability we figure out the vector, method, and conditions of exploitation. In other words, all the details and nuances related to exploitation. This requires a much more in-depth and full understanding compared to what can usually be found in descriptions on vendors' sites or in CVE, for example:

The reason for the vulnerability is that the operating system incorrectly handles objects in memory.

So, to update our products with rules for detecting attacks targeting the newly discovered vulnerability in DHCP and rules for identifying affected devices, we needed to dive into all the details. With binary vulnerabilities, one can often get to the faults lying at their root by using patch-diff, which compares and identifies the changes to the binary code of an app, a library, or an operating system's kernel made by a specific patch or update fixing the error. But Step 1 is always reconnaissance.

Note: To go directly to the vulnerability description, without reading the DHCP concepts it's based on, you can skip the first several pages and go straight to the section titled "DecodeDomainSearchListData function".

April 15, 2019

Protecting Money On The Internet. Five Tips To Secure Your Online Transactions

Image credit: Unsplash
According to Positive Technologies research data, security of financial applications keeps growing. Banks make serious investments into improving security of their products. In the end hackers find it easier not to attack the banks, but rather go after bank clients and people shopping online.

Here are some useful tips from Positive Technologies experts to help you protect your money online.

March 24, 2019

How Not To Help Hackers: 4 Common Security Mistakes Of Office Workers

Image credit: Unsplash

More and more often cybercriminals target office staff, knowing full well that people are the weakest link in the corporate protection systems. Today we'll discuss mistakes in information security made by office workers, and how to avoid becoming an unwitting accomplice to hackers in compromising company infrastructure.

February 19, 2019

Detecting Web Attacks with a Seq2Seq Autoencoder


Attack detection has been a part of information security for decades. The first known intrusion detection system (IDS) implementations date back to the early 1980s.

Nowadays, an entire attack detection industry exists. There are a number of kinds of products—such as IDS, IPS, WAF, and firewall solutions—most of which offer rule-based attack detection. The idea of using some kind of statistical anomaly detection to identify attacks in production doesn’t seem as realistic as it used to. But is that assumption justified?

January 16, 2019

The Cost Of Security And Privacy For Telcos: How To Do The Math

Image credit: Pexels

Join Positive Technologies’ telecoms expert Michael Downs for a thought-provoking webinar on the processes and best practices all operators should be following to ensure their networks are secure. In this informative webinar, participants will get an understanding of:

  • the critical security incidents facing telcos every day globally and how operators can remain vigilant in order to support revenue growth
  • how to get transparent TCO (total cost of ownership) estimates for security and significant return on investment while staying in budget
  • the steps required to guarantee compliance with an ever-growing list of requirements in the mobile sector, including 5G and Internet of Things (IoT)

During the webinar, Michael Downs will explain how telecommunication providers can establish ongoing security and data protection processes, and shift from a check-box approach to proactive protection – an essential step for operators in order to effectively fight modern threats. A GDPR expert will also join the discussion to offer attendees insights into how the legislation impacts the telecoms industry and the compliance issues many are facing. 

This immersive session will also include interactive polls and self-assessment surveys to help participants better understand the challenges their company faces and the ways they can improve their overall security posture.

Register hereTelecom privacy and security: how to do the math

January 15, 2019

Remarkable talks from 35C3

The 35th Chaos Communication Congress was held at the end of December 2018 in Leipzig, Germany. I have attended a lot of interesting lectures. In this article I'll share the list of great technical talks which I liked the most.