Headline
PHDays 11: towards the Independence Era
Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event. Alternative video link (for Russia): https://vk.com/video-149273431_456239091 As I did last year, I want to start talking about this […]
Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event.
Alternative video link (for Russia): https://vk.com/video-149273431_456239091
As I did last year, I want to start talking about this conference with a few words about the sanctions. US sanctions against Positive Technologies, the organizers of Positive Hack Days, were introduced a year ago. At that time it seemed very serious and extraordinary. But today, when our country has become the most sanctioned country in the world, those sanctions against Positive Technologies seem very ordinary and unimportant. In fact, it even seems to benefit the company somehow.
Positive Technologies
At the end of last year, Positive Technologies became a public company with a strong focus on the domestic market and the market of friendly countries. The financial results are very impressive. The company’s marketing is better than ever, especially everything related to video production. And, of course, their products are in even greater demand, because Western vendors have left the Russian market.
As for the event, it is still the most important information security conference in Russia. In fact it was the most visited PHDays. 10,000+ guests at the Moscow World Trade Center, 130,000+ viewers of online broadcasts. I was only on the second day, when it was not as crowded as the first day of the conference. The atmosphere at the event was not the same as at a regular conference. It was more like a nightclub. Subdued lights, music, a lot of screens and all sorts of lighting effects. Very unusual.
The Standoff
The main show of the conference is the CTF competition of hackers and blue teams, The Standoff. The toy city, which displays the infrastructure of the virtual state of F, has become really huge. Entire sectors of the economy were represented there: metallurgy, electric power industry, oil industry, transport, banking system, housing management. etc. All this is interconnected. An attack on one object can cause a butterfly effect that affects the entire state. Very impressive!
Talks
The PHDays 11 program included about 100 talks, which were attended by more than 250 speakers. One of them was me. It makes no sense to list all the talks, but logically I would highlight out 3 of them.
- Sergey Golovanov “01111111day“ (rus). He spoke about the attacks on Russian organisations after February 23rd. To summarize all that has been said, the number of attacks has become much greater. The source of the attacks is clear. Most of the attacks were simple and it was hacktivism, but they get more complicated with time. The main attacks are DDoS and penetration into the infrastructure for further data theft and destruction. Phishing is one of the commonly used penetration channels.
- Alexander Goncharov “CVE-2021-40444: why it is important” (rus). Microsoft MSHTML Remote Code Execution Vulnerability. This is not the newest vulnerability, one of many. But in fact, it continues to be actively exploited, and mainly through phishing. Why? Since users are susceptible to phishing, hosts are not updated and hardened (disabling ActiveX, preventing office applications from creating child processes). And all this, of course, needs to be implemented in organizations. But one of the interesting questions is: can we now trust vendor updates that fix vulnerabilities? Alexander replied that we can, because enterprise IT vendors like Microsoft will not disable anything in terms of functionality. Simply because it will be a blow to their reputation.
- And my presentation was just about this topic of trust. “The new reality of information security and vulnerability management” (rus). You can watch the video in my YouTube channel in Russian and with simultaneous translation. Simultaneous translation is difficult to do, especially in the fast track, so I will also make an extended English version of this report for VMconf 22. By the way, you can also submit a video about Vulnerability Management there if you want. So what was my report about. The new reality of information security (TNRoIS) began in February 2022. In this new reality, global vendors and open source software are less trusted than before. What was only recently viewed as a competitive product or service, has become a means of pressure, a Trojan horse, a threat to corporate information security. The new reality sets new requirements for key corporate processes, including the choice of IT products and information security solutions, security analysis, and update management. The forced de-Westernization of the IT infrastructure of Russian companies will not happen overnight. This is a long and difficult process. For example, is it true that by 2025 there will be no Microsoft software in Russian companies and everything will work on Russian Linux distributions? Now it seems too ambitious. Most likely we will see some kind of hybrid mode with a complex process of supporting unstable Western IT solutions and a simplified process for stable, mainly Russian IT solutions. Of course, it will be much more difficult than it was before, but there is a challenge in these difficulties. The problems faced by the Russian organizations in extreme form are relevant to much of the world, which means that certain terminology, approaches, and solutions can be successfully exported.
What could be better on PHDays 11?
Well, there were few speeches about Vulnerability Management. For my taste. There was my presentation, there were a couple of speeches about specific vulnerabilities and rootkits, there was a basic interview about Vulnerability Management (rus) and an interview about MaxPatrol O2 (rus). But it was very fragmented. It seems to me that the main conference of the leading Russian Vulnerability Management vendor should have a session or maybe even a track about Vulnerability Management. At least 2-3 hours. It would be nice to have a program that would resemble Qualys QSC. After all, they talk about VM all day, why is it not possible on PHDays? Ideally, if there would be 80% about interesting practical cases and processes and 20% about how to solve them using Positive Technologies products (as a demonstration). That would be really cool and that would be right.
It may sound silly, but I missed bag chairs and sofas. There were far fewer of them. In past years, I liked to sit on them, relax and talk with colleagues. This time all the conversations were on the feet and it was not very convenient.
It seems like PHDays needs more space. There were practically no seats left in the halls. The fast track where I performed was in a tiny hall, which is not so easy to find. The organizers said that it did not happen on purpose. The schedule was changed at the last moment and the Fast Track had to be moved from a more convenient place. It’s a bit sad, but the fact that full-length reports are a priority is right. And in our post-COVID time, the most important thing is video broadcasting, and it was at a very high level. My presentation went well, the audience was friendly, there were some very interesting questions.
Many thanks to the organizers and participants. Until the next PHDays!
Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
Related news
An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack
Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from
By Waqas LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data. This is a post from HackRead.com Read the original post: New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs
The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.
Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.
Proof of concept for the remote code execution vulnerability in MSDT known as Follina.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Microsoft MSHTML Remote Code Execution Vulnerability