Business cases of the projects we have completed
We were approached by a company that was planning to enter the promising cryptocurrency market. To accomplish this goal, the company had developed a cryptocurrency exchange web application. Before publishing the application on the Internet, the company decided to perform an information security audit, using penetration testing methods according to the OWASP methodology. They requested such a service from us.
The testing was conducted in black-box mode: at the initial stage, the auditors had at their disposal only the URL of the application that was being tested.
In the course of the pentest, we found that attackers were able to do the following:
- Take advantage of the missing input filtering in the ‘meeting room’ functionality and conduct an XSS attack on a user or administrator. This was successfully confirmed when the dialog was opened by a test victim (the user or administrator who received the message). The script functionality could be anything: for example, hidden mining, a fake authentication form, etc., up to complete control over the victim's computer.
- Take advantage of flaws in the file upload functionality of the web application and access the server file system (ability to read, upload, delete files), execute arbitrary commands on the server, execute SQL queries, make connections from the server interface to other systems, i.e. the attacker could gain complete control over the server and the data could be completely compromised.
- After gaining control over the server, take advantage of the deficiencies in cryptographic protection (in particular, no integrity control of transaction data in the application) and make changes to the account balance.
- Bypass the check when sending messages and impersonate another user or administrator, therefore mislead the victim and commit fraudulent actions.
- Identify registered users.
- Attack user passwords.
- Receive unauthorized access to files that other users have downloaded.
The customer received an exhaustive report on vulnerabilities and how to fix them. After the vulnerabilities were eliminated, the auditors checked again that the system was now secure. And only after this was the web application published on the Internet.
Therefore, the audit using penetration testing methods saved the customer from possible reputational and financial losses.
A nationwide pharmacy network ordered an external pentest of their computer network. Black-box mode was chosen.
During the project, it was discovered that all critical IT infrastructure was behind a firewall. It seemed, there were no chances to penetrate. Then we decided to check the points of sales so checked several pharmacies. One of them had a Mikrotik router with a default password. This type of router has a blank default password, so the router was "compromised". It had OpenVPN, locally stored certificates, and allowed sniffing. We intercepted the traffic and found confidential information of the sales and accounting system. Then we extracted certificates from the compromised router, made a fake point of sale, and connected to the VPN server. We impersonated one of the pharmacies in the network. This way we penetrated the customer’s internal IT infrastructure that was protected by the firewall and seemed impenetrable. We explored the Active Directory network, found an SQL server with domain authentication and penetrated it using a password that had been extracted using ‘mimikatz’ utility.
The project was completed with the conclusion that penetration was possible, and the customer's information security level was low. The customer received the risk assessment results, information about the vulnerabilities, and recommendations on how to remediate them and harden the IT infrastructure.
A mid-sized telecommunication company, motivated to comply with external security requirements, requested the implementation of a complex information security system and overall security assessment. The customer chose grey-box and white-box penetration testing modes. The target objects of the pentest were external servers, DMZ, web applications, and internal nodes of the local area network. During the project, the following vulnerabilities and deficiencies were discovered:
- Network configuration errors, lack of segmentation (lack of separate VLAN for management interfaces iLO, IMPI, IP KVM, etc.).
- Weak passwords on the active network devices.
- Hidden resources were accessible (ADMIN$, C$, D$, etc.).
As a result of the vulnerability exploitation, documents containing confidential data were extracted. Therefore, unauthorized access by an intruder was emulated. The customer received a comprehensive report about the vulnerabilities and their remediation methods.
A big industrial plant with about 10,000 employees needed an assessment of IT infrastructure compliance with security requirements. The plant ordered penetration test in a grey-box and white-box modes. Local area network servers were chosen as the pentest target objects. During the project, the following vulnerabilities and weaknesses were found:
- Deficiencies in the event monitoring and security incident response processes (lack of measures to prevent intrusions, and recover from incidents).
- Deficiencies in configuration management (uncontrolled test and guest network hosts in the corporate domain).
- Deficiencies in access and privilege management (open login via ssh for the standard root account; single administrator account for DC, network equipment, and user workstation management).
- Other technical vulnerabilities (proxy auto-detection for software was enabled).
Unauthorized access by insiders was modeled during the project. The customer received a full report on vulnerabilities and how to eliminate them.
A medium-sized retailer implemented internal and external information security requirements. Some of them required a complete analysis of the enterprise's infrastructure, including penetration tests in grey-box and white-box modes. During the pentest, the following vulnerabilities and weaknesses were found:
- Vulnerabilities in the web applications (no validity checks of requests in the applications, data transfer through an unencrypted HTTP channel).
- Deficiencies in privilege management (domain accounts for various services and applications had too high privileges).
- The possibility of e-mail forgery (no DKIM / DMARC signature systems on mail servers).
- Deficiencies in monitoring processes of security events (no "auditd" customization for events).
- The possibility of an unauthorized device connecting to the network (DHCP snooping, no port security).
During the pentest, as a demonstration of vulnerability, unauthorized access to the network equipment was emulated. The customer received a full report on the vulnerabilities and the recommendations how to eliminate them.
A small financial organization, connected to the international payment systems Visa and Mastercard, faced the need to comply with the requirements of PCI DSS standard. Among them, there is a requirement to perform an external and internal penetration test regularly. During the analysis of the infrastructure scope (cardholder data environment), detailed parameters of the external pentest were agreed. The parameters included grey-box and black-box modes, and the list of target objects, namely, the Internet-facing services and Web applications.
As a result of the pentest, multiple vulnerabilities in the web applications were discovered (PHP injections, cross-site scripting, direct object references, missing software update mechanisms, insecure default Web server configurations, no access control on the functional level, buffer overflows, an error in the web application code).
During the project, no real penetration ways were found, but potential vulnerabilities were present. The customer received a comprehensive report on the vulnerabilities and how to enhance the security of the infrastructure. The report was made in accordance with the requirements of PCI DSS, including a description of the penetration test methodology that was used during the project.
A small software company was required by their customers to be certified according to the ISO 27001 standard. Moreover, the certification body had to hold the highest international accreditation level, which is UKAS.
Previously, the company took only superficial measures and performed only occasional works related to information security, and only in the field of server and workstation protection. We immediately began working on the scope analysis, and outlining the work plan of the initial audit and gap analysis. We performed this work for the client for free. After that, the company saw that we were competent in such challenges, and could build realistic plans. Therefore, they signed a contract with us for an audit, gap analysis, and development of an implementation plan. After 3 weeks, we completed this work. The customer was once again convinced that our experience and speed exceeded their expectations.
After that, the customer signed an agreement with us for the implementation of ISO 27001. Six months later, we developed all the controls required by the standard, described them in 18 policies and procedures, implemented several security management registers, and conducted staff training. We paid particular attention to the secure software development life cycle.
Then the question of choosing an independent auditor arose. We recommended one of the largest German auditing firms to our client. We also contacted this auditor, held a discussion with them and prepared them for the certification of our client in advance. The client and the auditors signed an agreement for audit and certification.
During the audit, we defended our client and the information security management system that we had built. The auditors made minor comments, as they usually do. We took these comments into account, made corrections, and 2 weeks later our client received an official certificate of ISO 27001 compliance.
To support the implemented system and renew the certificate annually, the company subscribed to our ‘Remote Security Manager’ service.
Our client was pleased with our competency in security process management, so they were also interested if we could provide IT security services. The company ordered the following services from us: application security, source code security analysis and penetration testing of their software products.
The company obtained the certificate stating that they were compliant with ISO 27001 and that they had successfully passed the security assessment. They published the certificate on their website and used it in marketing materials. The company advertised its new status and gained significant competitive advantages, which increased the number of orders and sales.
We were contacted by a representative of the German automotive industry. They urgently needed to be certified that they comply with ISO 27001 and the ENX Trusted Information Security Assessment Exchange (ENX TISAX®). High competition in the automotive systems market (security, piloting, navigation, entertainment systems, etc.) forces leading car manufacturers and their contractors (Volkswagen-Audi Group, Porsche, Daimler AG, BMW, Bosch, etc.) to rush the launch of new products to market while maintaining the same high levels of quality, safety and security. This is why our client was highly motivated.
Prior to this, the client had tried to fill out ENX TISAX® compliance forms themselves, but a lack of the necessary competencies did not allow them even to begin the implementation process properly.
ENX TISAX® compliance, although based on ISO 27001, has its specifics. For example, unlike an ISO 27001 audit, which can take several days, a ENX TISAX® auditor spends only one day at the customer's office, but then it takes about 3 months to collect the pieces of evidence for each security process. ENX TISAX® audit reporting process implies a high degree of automation using modern GRC (Governance, Risk management, and Compliance) systems.
During the first 3 months after signing the contract with our client, we thoroughly studied their business processes and developed about 50 documents necessary for compliance with ISO 27001 and ENX TISAX®. During the implementation and audit reporting, we used Redmine and Goriscon systems.
It took 6 months of intense collaboration between our consultants and our client's employees from the start of the project until the day they received the ENX TISAX® compliance label. We conducted several training sessions, performed a series of server and application security assessments, strengthened the network security, system life cycle security, implemented risk management, security key performance indicators (KPI), change and incident management processes, etc.
Implemented processes, operations, and security systems must be constantly maintained so as not to lose effectiveness. Therefore our client ordered the ‘Remote Information Security Manager’ service from us. We have continued to conduct regular training sessions with our client, monitor information security events, respond to security incidents, perform quarterly vulnerability scans, audit software source code, report to our customer's auditors and clients, etc. That is, to fully perform the functions of an information security manager.
Improved security was not the only thing out customer got as a result of this project. During the asset management and technical vulnerability assessment, we discovered ineffective use of systems, such as redundant access, configuration errors that reduce network performance, etc. As a side effect of the project, the customer optimized some of their IT operations.
Achieving the official compliance status with ISO 27001 and ENX TISAX® allowed our client to get new, long-term contracts from one of the giants of the German automotive industry.
A representative of a major government organization of an East European country asked us for help in responding to and investigating a hacker attack. From 5 AM Saturday, the official website of this organization was unavailable due to the hacker attack Drupalgeddon 2, which was carried out automatically by malicious scripts all over the Internet.
As a result of the analysis, it was revealed that the attack did not impact important data and did no harm, except for the downtime of the website. However, this downtime caused some damage to the organization’s users, operations and reputation.
We quickly cleaned the website of malicious files, restored it, and collected event logs and other evidence to pass on to the police.
We conducted the investigation by analyzing the event log files of various server services. It was established that the last successful request with return code 200 was from a certain IP address, and after that, there were no logged events. Next, the website scripts were analyzed, and we found that a fragment of PHP code was inserted at the beginning of all executable files, which first turned off logging and then, in a surreptitious way, launched a shell that could accept remote commands. Malicious insertions were also found in the database.
After cleaning the website and collecting evidence, the server was hardened (configured for security), the CMS Drupal version was updated, additional controls for preliminary testing and security updates were introduced. Additionally, a web application firewall (WAF) was deployed to protect the website in real-time, and a host-based intrusion detection system (HIDS) was implemented to monitor the integrity of critical files on a daily basis. We also offered the organization our comprehensive Continuous Website Protection services, including, but not limited to, full protection against DDoS attacks. The organization subscribed to this service.
Even though the police did not find the perpetrators, we helped the state organization gain a new level of security for their server, which has allowed them to detect intrusions successfully and withstand both small and large-scale malicious attacks.
A brief description of the system. Our customer's electronic wallets system allows their clients to replenish the balance using bank payment cards, PerfectMoney, WebMoney, LiqPay, SWIFT and other methods. Payment card information is not transmitted or stored. In the same way, money withdrawal is possible. The wallets are multi-currency, and it is possible to exchange one currency to another inside the system at internal rates. The system has an API for integration with merchants. The main target category of users consists of Forex brokers' clients. Additionally, mobile operators and electronic stores selling mobile phones and accessories are connected to the payment system.
Total number of lines of source code: 1.8 million.
Objective. In white-box mode, find the flaws in the architecture, insecure use of code, system vulnerabilities, and penetration methods.
Solution. During the audit, first automated, then manual code analysis was used. We identified a large number of uninitialized variables, obsolete and insecure functions that work with memory, and insufficient input validation. In some places of the code, user input was used in SQL queries without validation. This allowed us to perform SQL injection attacks and compromise the personal data of clients. We revealed an insecure data transfer, through a proxy, between the frontend and backend of some modules. This could have led to a successful implementation of a MitM attack. Weaknesses in the protection of the administrative panel were uncovered. They allowed privilege escalation of the users with Verifier and Financier roles. We identified logical errors, which could lead to bankruptcy if the perpetrator manipulated the internal currency exchange processes. Transaction logging errors were detected. We revealed logical errors in system integrity monitoring, namely, in the control calculations of transaction chains. Detailed reports were compiled for the top management, IT director and technical specialists. The reports contained descriptions of all the problems that were found and recommendations on how to solve them.
Duration of work: 3 months.
Conclusions. We provided indispensable help to the payment gateway by supplying a complete line-by-line analysis of the source code. It took much less time to analyze the code than to develop it.. With our help, the company was able to pass the PCI DSS audit successfully, obtain the official certificate, publish the gateway application and successfully begin their financial activities.
Short description of the system. A decentralized exchange that allows to users trade cryptocurrencies and tokens based on Ethereum smart contracts.
Technologies: independent frontend and backend, administrator interface in iOS application, DBMS: PostgreSQL, programming languages: Go, Python, JS, Objective-C, Java.
Total number of lines of source code: 960 thousand.
Objective: in white-box mode, find the vulnerabilities in the system and the hacking possibilities.
Solution: Static code analysis at the first stage revealed errors of repeating code usage. They were fraught with serious potential logical problems. Erroneous parameters, errors in variable dependency models, insufficient coverage of implemented test scenarios were also found. Further manual analysis of the source code helped to identify hidden problems with incorrect validation of input data, logical problems with the sources of cryptocurrency quotes and quotes for cryptocurrency pairs, as well as the possibility of injecting incorrect data to be put into a smart contract. Detailed reports for executive management and technical specialists were generated. The reports contained descriptions of all the problems the were found and recommendations for resolving them.
Duration of work: 2 months.
Conclusions. With our help, the cryptocurrency exchange eliminated significant security issues that threatened the success of the organization. We managed to conduct our audit before the official launch of the exchange, therefore it was not exposed to the risks after the web applications were published and real users started coming in.
Short description of the system. Commercial secure VoIP system certified by the Israeli Ministry of Defense.
Technologies: modular architecture, web server, VoIP server, client applications for Windows, iOS, Android; DBMS: Oracle; programming languages: .NET, C / C#, Objective C, Java.
Total number of lines of source code: 1.2 million.
Objective: in white-box mode, conduct an independent security audit of the source code.
Solution. Automated static analysis had been performed by the customer. Therefore, we only used a manual security audit method. In the C code, unsafe memory functions were identified. They allowed buffer overflows and memory leaks. In mobile applications, logical errors were identified. They could allow hackers to intercept encryption keys using a MitM attack. We also identified architectural errors. They could allow hackers to use a DoS attack to block a subscriber. Detailed reports were compiled for executive management and technical specialists. The reports included descriptions of all problems that were found and recommendations for resolving them.
Duration of work: 2 months.
Conclusions. Despite the significant efforts of the customer to find the security problems in their system, using modern licensed security scanners of source code, our independent line-by-line audit of the code identified additional problems not detected by the customer. The elimination of these problems allowed the customer to raise the security of their application to a new level. They avoided compromising the confidential information of customers.
A global manufacturer of household and industrial equipment was going to implement new modules for their ERP, CRM, financial and e-commerce systems.
The modules were written using Java, C++ and SAP UI5.
The customer had scanned the source code with security scanners of source code, performed a pentest, found security issues, fixed them, and asked us to do a manual security review.
The total work scope was about 2 million lines, and about 3 months later, we presented a comprehensive report showing the critical security problems, which were missed even by the security scanners and grey-box penetration test.
For example, we found critical race-condition vulnerabilities, which, although unlikely to occur, could cause huge damage.
Another example was a backdoor in the software code allowing the software developers to have unauthorized access to the production system. The developers explained that they needed this access for legitimate debugging purposes, however, that was a risk, and we insisted on closing this backdoor.
Conclusions. The customer made the right decision in entrusting us to independently verify the results of their security work and received important information on omissions that could cause serious financial damage. Corrections to the systems were made, their security was improved, and the risks of losses were minimized.
The websites of a Ukrainian information technology university suffered from regular attacks. Mainly, it was begrudged students who hacked their alma mater, and these future IT specialists penetrated and defaced the websites just for fun. The university staff were unable to withstand the attacks, and the university management decided to outsource the website security to us.
First, we performed the initial security hardening. In particular, we conducted a security audit of 6 websites and several technological processes. Then we analyzed the assets, defined the security policies and procedures, hardened the web servers using the CIS Controls and CIS Benchmark frameworks and updated several weak components. Additionally, we implemented comprehensive backup procedures, log collection services, strict role-based access, two-factor authentication, and other security controls. Following the university's policies, we employed several open source security solutions, namely, Web Application Firewall (WAF) ModSecurity, Host-based Intrusion Detection System (HIDS) Tripwire and some other products.
Then we implemented continuous protection for the websites. We employed Cloudflare services in order to thoroughly protect against DDoS attacks. Website availability checks were executed every minute. We enabled transaction checks – user browser emulation to test the important functions of the websites, for example, login/registration, etc. Also, we have deployed the Real-User Monitoring (RUM) checks to test the download time of the websites from the real user's perspective. We connected the university's systems to our SIEM security monitoring system, which also had some positive side effects. That also introduced some positive side effects and enhancements like static content optimization using global CDN, optimization and acceleration of traffic for mobile devices.
After that, we delegated security responsibilities among the university's security staff and our personnel. Our dedicated specialists started to monitor the website security round-the-clock. Then, we performed several training sessions for the university's engineers covering security vulnerabilities, security testing, security event monitoring, and incident response.
Finally, we even advised the university to announce a bug bounty program encouraging the students to report vulnerabilities and try to hack the websites as part of their practice. Therefore, we turned our adversaries into our allies with no additional cost and, at the same time, discouraged anyone who did not want to collaborate.
As a result of the implementation of continuous website protection, website incidents decreased to a negligible level. Penetrations and defacements stopped completely. The IT university's reputation as a secure organization was saved and considerably improved.
A mid-size bank contacted us intending to introduce a Security Incident and Event Management (SIEM) system in their data center. This bank had some elements of a Security Operations Center (SOC) and asked us to improve it, bring it up to modern standards and take over the support of SOC.
From the several available SOC/SIEM models (on-premise SOC, cloud implementation, full outsourcing, etc.), the client selected a combined model, which required our staff to work with monitoring systems physically located in the bank.
First, we carried out an inventory of the client’s information assets, identified the sources of events from more than 5000 hosts located in 12 offices and data centers of the bank, including more than 50 database servers. Next, we identified incident profiles, response and support procedures, and estimated the incident flow capacity, which was about 1500 EPS.
Based on the IBM QRadar high-availability cluster, we implemented the following functions and components in the bank's data center: log management, security event management, threat intelligence, risk and vulnerability management, user and entity behavior analysis, machine learning, orchestration and response, honeypots/honeynets, threat hunting, and digital forensics.
Our experts developed the necessary rules and procedures, wrote the missing custom parsers and quickly connected event sources from Microsoft Server Family, Microsoft System Center, RedHat Enterprise Linux, Hitachi, IBM AIX, IBM Storage Manager, Cisco IOS / NX-OS, Check Point NGX, SAP, Citrix XenServer, XenDesktop, XenApp, Microsoft SQL, Oracle, Microsoft Exchange, SharePoint, UAG and many other types of systems.
We protected the system components with firewalls, and the data streams with Site-to-Site VPN. Then we determined the role-based access matrices for the system, set up continuous updates, fine-tuned the rules and tested the detection of anomalies and threats.
Right before the production launch, we delegated the security roles and responsibilities between our personnel and the customer’s staff, conducted their training and put the system into commercial operation.
The implementation of the system took us 8 months.
Conclusions. As a result of the implementation, the bank received a modern Security Operations Center based on a real-time monitoring system for event logging and responding to security threats. Among other outcomes, we optimized some of the customer’s technological processes, discovered obsolete assets, improved server access control, set up the collection and storage of security event protocols in accordance with PCI DSS requirements and national requirements for the collection of forensic evidence acceptable in court. The bank successfully passed several external independent audits and became compliant with norms and standards. The total annual damage from security incidents has decreased manifold.
(Company and organization names are under Non-disclosure Agreements)
Our happy customers
Our clients are product and outsourcing IT companies, as well as construction, automotive, e-commerce, industrial, medical, pharmaceutical, telecommunication, retail, insurance companies, as well as banks, governmental organizations, etc. Some of our happy customers are:
Testimonials on Clutch
"We are very pleased that we have had the opportunity to work with such a team of professionals as H-X Technologies. We have only positive impressions. Working with the H-X team was pleasant and interesting. Everything was done according to the conditions specified in the statement of works and was done exactly on schedule. Both the security assessment process itself and the provided reporting showed a high level of professionalism. We don't regret deciding to cooperate with H-X Technologies. We look forward to further cooperation."
"The H-X team has conducted a detailed project planning to assess the security of our infrastructure. They have shown a creative approach, and have properly implemented the security assessment plan. The security assessment has provided valuable information on the priorities to enhance our company's security, including strategic objectives and tactical activities."
"We were facing serious challenges related to our customers' requirements for formal compliance with international and industry information security standards. The H-X team very quickly helped us to evaluate and fill the current organizational and technical gaps, and they continue to help."
"The H-X team has completed a technical security assessment of one of our products, and we've been surprised by the high quality results. They've helped us to improve the quality of our development and testing processes."