Out of 500 participants of OpenBonch 2022, only 64 made it to the finals of the competition that took place at the Bonch-Bruevich St. Petersburg State University of Telecommunications on October 5-7. 

ITMO was represented by the team ITMO))), comprised of first- and second-year Master’s students at the Faculty of Secure Information Technologies: Timur Abdullin, Nikita Chelnokov, German Ritter, Dmitry Sibirtsev, and team captain Georgy Gennadiev. This is not their first triumph: in April of this year, they won a competition on information security CyberSPbSUT 2022, and in June they attended the international cyberdrills that took place at St. Petersburg Economic Forum. Under the name FaKappa, the team have also won various CTF competitions.

At OpenBonch 2022, the cybercrimes were simulated using a digital double of an IT company’s infrastructure. Malefactors entered the system and encrypted the information, which was important to the employees. The participants had to track down all the moves of the attackers, get rid of malware, restore damaged data and detect the flag – a random encrypted phrase that was left by the organizers at one of the virtual machines of the digital double.

It took the team three hours to solve all the tasks. To trace the malefactor, the members made use of their experience of playing for the other side and hacking the corporate system as pretend malefactors in other cyberdrills attacking corporate structures, as well as the MaxPatrol SIEM program, which helped build the model of the infrastructure, collect, and analyze data on ongoing changes. To prevent encryption, they used standard Linux and Windows tools.

As a result, the team found out that the attacker entered the corporate website of the company using the Log4shell vulnerability, and then made use of ProxyLogon that helps execute code at Microsoft Exchange servers. That’s how the malefactor received remote access to the mail server. Then they planned to dump the Isass.exe process, create a copy of RAM, and make a new user profile. However, the organizers weren’t able to launch the script. According to the task, the cyberattacker did create the profile and could employ new domain computers. They performed the sAMAccountName Spoofing (noPac) attack, seized access to the domain’s controller, then did the DCSync attack and received all profile data from the domain, exfiltrated all mailboxes using the mail server’s profile, as well as launched the encryptor at the file and corporate website’s servers.

According to ITMO’s team captain Georgy Gennadiev, the fact that the organizers didn’t launch one of the scripts complicated the task because they lacked information to continue the investigation.

Georgy Gennadiev at the award ceremony (CyberSPbSUT 2022). Credit: http://www.sut.ru/

Georgy Gennadiev at the award ceremony (CyberSPbSUT 2022). Credit: http://www.sut.ru/

“The dump of Isass.exe process is a noticeable action because most antimalware and EDR solutions are able to detect it and that would be an easier way to trace the attacker’s moves. Without it, we had to spend more time looking for the ProxyLogon shell to realize that it was indeed the vulnerability the malefactor exploited. It also influenced our next moves – we didn’t know which data was received, so we had to first miss one step and then return to it again,” he says.

The ITMO))) team completed the investigation of the cybercrime despite the dysfunctional script, gained 89 points, and became the winner. In November, the team from ITMO will take part in the selection stage of the CTF Cup Russia.

The second and third places were taken by students of the Northern (Arctic) Federal University named after M.V. Lomonosov and Kazan National Research Technical University named after A. N. Tupolev. All winners received certificates and gifts.

The OpenBonch 2022 competition took place as part of the federal project Information Security of the national program Digital Economy of the Russian Federation with support from the National Cyber Polygon.