Pull to refresh
Show first

Implementing hypervisor-level behavioral analysis in Linux

Level of difficulty Medium
Reading time 7 min
Views 525

Hey there, Habr! My name is Alexey Kolesnikov. I am a Malware Detection Specialist at the Positive Technologies Expert Security Center (PT ESC). I recently spoke at the AVAR 2023 international conference in Dubai, where I covered new plugins developed by PT ESC for an open-source dynamic malware analysis system named DRAKVUF and demonstrated how they can be used to detect current Linux threats in sandbox for protection against targeted and mass attacks PT Sandbox.

Read on for a brief overview of popular malware monitoring tools for Linux, a description of how our plugins work in DRAKVUF, and a malware analysis that relies on these plugins.

Read more
Total votes 2: ↑1 and ↓1 0
Comments 0

ATM security analysis 3.0: PHDays 12 in review

Reading time 8 min
Views 729

 Python, Java, C++, Delphi, PHP—these programming languages were used create a virtual crypto ATM machine to be tested by the participants of the $NATCH contest at Positive Hack Days 12. The entire code was written by ChatGPT and proved to be exceptionally good. This time, we had reviewed the contest concept and decided to use a report system. In addition to standard tasks (kiosk bypass, privilege escalation, and AppLocker bypass), this year's participants faced new unusual tasks. Read on below to find out which ones.

Read more
Rating 0
Comments 1

Payment Village at PHDays 11: pentesting our online bank

Reading time 13 min
Views 1K

Hello everyone! We've already talked in our blog about how the Positive Hack Days 11 forum had a special Payment Village zone, where anyone could look for vulnerabilities in an online bank, ATMs, and POS terminals. Our competition to find vulnerabilities in an online bank is not new, but in recent years it has been somewhat supplanted by ethical hacking activities for other financial systems. In 2022, we decided to correct this injustice and created a new banking platform, making use of all our years of experience. We asked the participants to find typical banking vulnerabilities and report them to us. In the competition, the participants could play for either the "white hats" (participate in the bug bounty program of an online bank) or for the "black hats" (try to steal as much money from the bank as possible).

Read more
Rating 0
Comments 0

Payment Village at PHDays 11: ATM hacking

Reading time 7 min
Views 1.6K

The Positive Hack Days 11 forum, which took place May 18–19, 2022, was truly epic. The bitterly fought ATM hacking contest featured no fewer than 49 participants. How cool is that? The winner of this year's prize fund of 50,000 rubles, with the handle Igor, was the first to hack the virtual machines. And he wasn't even at the event! :)

Besides Igor, eight other participants picked up prizes this year for their VM-hacking skills. They were: drd0cvientvrazovdurcmzxcvcxzas7asg_krdhundred303, and drink_more_water_dude. A big thank-you to everyone who took part, and for those who weren't at PHDays, here are the links to the virtual machines.

Read more
Total votes 5: ↑3 and ↓2 +1
Comments 1

Top 10 incident response mistakes

Reading time 9 min
Views 1.1K

Imagine someone withdrew money from a company's account at night. The next morning panic breaks out, leading to yet more problems. The IT department can reinstall a compromised system from scratch or restore it from backup. Reinstalling from scratch will wipe out all traces left by the attackers, and external investigators will have to search for clues in other systems. Restoring from backup carries the risk of accidentally reinstating a compromised image. In this paper, we will describe common mistakes that experts make when responding to security incidents.

Read more
Rating 0
Comments 0

IDS Bypass at Positive Hack Days 11: writeup and solutions

Reading time 10 min
Views 1.7K

The IDS Bypass contest was held at the Positive Hack Days conference for the third time (for retrospective, here's . This year we created six game hosts, each with a flag. To get the flag, participants had either to exploit a vulnerability on the server or to fulfill another condition, for example, to enumerate lists of domain users.

The tasks and vulnerabilities themselves were quite straightforward. The difficulty laid in bypassing the IDS: the system inspected network traffic from participants using special rules that look for attacks. If such a rule was triggered, the participant's network request was blocked, and the bot sent them the text of the triggered rule in Telegram.

And yes, this year we tried to move away from the usual CTFd and IDS logs towards a more convenient Telegram bot. All that was needed to take part was to message the bot and pick a username. The bot then sent an OVPN file to connect to the game network, after which all interaction (viewing tasks and the game dashboard, delivering flags) took place solely through the bot. This approach paid off 100%!

Подробнее
Total votes 3: ↑3 and ↓0 +3
Comments 0

PHDays 11: bootkit infection, sanitizers for the Linux kernel, the new face of OSINT, and phishing on official websites

Reading time 3 min
Views 1.5K

Positive Hack Days 11 will begin in a matter of weeks. This international forum on practical security will be held on May 18–19 in Moscow.

As per tradition, PHDays will have three big tracks dedicated to countering attacks (defensive), protection through attack (offensive), and the impact of cybersecurity on business. It is our pleasure to present the first talks.

Read more
Total votes 1: ↑0 and ↓1 -1
Comments 0

On the recent vulnerability in Diebold Nixdorf ATMs

Reading time 8 min
Views 3.9K

Hi there! A while ago, Positive Technologies published the news that ATMs manufactured by Diebold Nixdorf (previously known as Wincor), or more specifically, the RM3 and CMDv5 cash dispensers, contained a vulnerability which allowed attackers to withdraw cash and upload modified (vulnerable) firmware. And since my former colleague Alexei Stennikov and I were directly involved in finding this vulnerability, I would like to share some details.

Read more
Total votes 5: ↑5 and ↓0 +5
Comments 2

How to detect a cyberattack and prevent money theft

Reading time 13 min
Views 1.9K

Money theft is one of the most important risks for any organization, regardless of its scope of activity. According to our data, 42% of cyberattacks on companies are committed to obtain direct financial benefits.  You can detect an attack at various stages—from network penetration to the moment when attackers start withdrawing money.  In this article, we will show how to detect an attack at each of its stages and minimize the risk, as well as analyze two common scenarios of such attacks: money theft manually using remote control programs and using special malware—a banking trojan.

Read more
Rating 0
Comments 0

Positive Technologies Brings ‘Hackable City’ to Life in The Standoff Cyberbattle at HITB+ CyberWeek

Reading time 2 min
Views 1.2K
Attackers and defenders to face off in digital metropolis security challenge featuring real-world critical infrastructure and technologies.



Cybersecurity experts at Positive Technologies and Hack In The Box are inviting red and blue team security specialists to test their skills attacking and defending a full-scale modern city at The Standoff Cyberbattle held during HITB+ CyberWeek. This mock digital metropolis with full IT and OT infrastructure including traffic systems, electrical plants, and transportation networks will feature all the latest technologies used in actual critical infrastructure installations, allowing players to expose security issues and the impact they might have on the real world.
Read more →
Total votes 15: ↑14 and ↓1 +13
Comments 0

Detecting Web Attacks with a Seq2Seq Autoencoder

Reading time 7 min
Views 5.4K
image

Attack detection has been a part of information security for decades. The first known intrusion detection system (IDS) implementations date back to the early 1980s.

Nowadays, an entire attack detection industry exists. There are a number of kinds of products—such as IDS, IPS, WAF, and firewall solutions—most of which offer rule-based attack detection. The idea of using some kind of statistical anomaly detection to identify attacks in production doesn’t seem as realistic as it used to. But is that assumption justified?
Read more →
Total votes 23: ↑22 and ↓1 +21
Comments 0

Information

Website
www.ptsecurity.com
Registered
Founded
2002
Employees
1,001–5,000 employees
Location
Россия