Traboda CyberLabs has investigated an Android malware campaign that impersonates the PM-KISAN mobile app. The campaign is distributed via messaging apps and uses a convincing fake “Google Play update” flow to trick victims into enabling sideloading and installing a malicious APK. Rather than exploiting an OS vulnerability, the attackers rely on social engineering to gain installation and permission consent.

The threat uses a two-stage design: a lightweight dropper that obtains installation rights and then silently installs a second-stage payload that conducts persistent data collection and exfiltration.

1. Malicious APK delivered via messaging apps – appears as a government/update package.
2. Fake update UI – prompts the user to allow installation of unknown apps.
3. Two-stage install – dropper installs a secondary payload that uses the same icon/name to avoid detection.
4. Permission abuse – the payload requests SMS and phone-state permissions plus background execution privileges.
5. Data collection & exfiltration – harvested data (SMS, device & SIM metadata) is transmitted to attacker infrastructure through redundant channels.
6. Persistence – the payload registers for manufacturer-specific auto-start and requests battery-optimization exemptions to remain active after reboots and under idle conditions.

Native String Obfuscation & Runtime Decryption

Sensitive configuration strings (e.g., C2 endpoint URLs) are stored encrypted and only decrypted at runtime using a native library. We reverse-engineered the decryption routine offline to extract the full payload configuration.

Dual Exfiltration Channels

The malware uses multiple exfiltration channels so that blocking one does not prevent data leakage. In our controlled analysis we observed both direct HTTP exfiltration and a third-party messaging API used to relay stolen content.

SMS Interception & Forwarding

A broadcast receiver captures inbound SMS messages before the native messaging client can process them. Captured messages are included in exfiltration payloads and—depending on remote configuration—forwarded onward to attacker destinations. This capability directly compromises any authentication processes that rely on SMS-delivered OTPs.

Persistence & Evasion Techniques

The payload adapts to device vendor customizations to register auto-start entries and explicitly requests exemptions from battery management, reducing the likelihood of being killed by the OS. These techniques significantly increase the effort required for cleanup and automated detection.

This campaign is a clear example of threat actors weaponizing user trust in official branding. By impersonating a government program and using a familiar update UX, the attackers successfully bypass technical protection barriers through social engineering. The use of native runtime decryption and redundant exfiltration channels shows operational sophistication and intent to maintain long-term access.

This public summary intentionally excludes forensic artefacts and IOCs. The full technical report contains comprehensive analysis and indicators intended for security teams, CERTs, and incident responders. Organizations and researchers who need the IOCs and forensic details can contact our team for secure access and coordination.

Traboda partnered with a leading health-tech company to secure their digital ecosystem and protect sensitive patient data. The engagement involved penetration testing of four critical web applications, a public-facing Android application, and the supporting cloud infrastructure for web and Android app. By identifying vulnerabilities and delivering actionable recommendations, Traboda enhanced the security of these assets, ensuring secure access to sensitive information and compliance with industry standards. This work reinforced the company’s commitment to delivering secure and reliable healthcare technology solutions.

The company develops cutting-edge health-tech solutions centered on remote health monitoring. Its device and cloud-based systems integrate biosensor technology with mobile applications, enabling real-time health data collection and remote diagnostics. By combining convenience with clinical accuracy, it plays a key role in the digital transformation of healthcare.

Complex Ecosystem: The client’s digital ecosystem included multiple interconnected web applications, an Android app, and cloud infrastructure. Each component required both individual and integrated testing to identify vulnerabilities while minimizing disruption to ongoing operations.

Highly Sensitive Data: The applications managed sensitive patient health data, including real-time cardiac monitoring information. This required stringent adherence to ethical testing practices to ensure data privacy and regulatory compliance throughout the engagement.

Time Constraints: The pentesting engagement needed to be completed within a limited timeframe due to the impending deployment of new features in the web and mobile applications. This necessitated prioritizing testing strategies to focus on the highest-risk areas.

Legacy and Modern Components: The system included a mix of modern technologies and legacy components, some of which lacked adequate documentation. Identifying vulnerabilities in those older components required significant manual analysis and reverse engineering.

Unsecured APIs: APIs exposed critical functionality but lacked standardized security practices, such as authentication and authorization. Testing these endpoints without impacting live operations posed additional challenges.

Compliance Considerations: The client needed to align with healthcare-specific regulations like HIPAA while addressing broader security concerns, such as those outlined in the OWASP Top 10. This required a balance between regulatory and technical security requirements.

Identify and Remediate Vulnerabilities: Perform a thorough security assessment of the web applications, Android app, and cloud infrastructure to uncover and prioritize vulnerabilities for remediation.

Ensure Data Privacy and Compliance: Ensure the client’s systems comply with industry standards and regulatory requirements (e.g., HIPAA), protecting sensitive patient data from unauthorized access or misuse.

Strengthen API Security: Evaluate the security of exposed APIs to identify gaps in authentication and authorization mechanisms, ensuring these critical components are resilient to attacks.

Evaluate Component Integrity: Identify outdated or vulnerable components in the technology stack and recommend upgrades to ensure robust application security.

Establish a Secure Foundation: Provide actionable recommendations and a roadmap for long-term security improvements, including secure development practices, regular testing, and automated scanning tools.

Minimize Operational Impact: Perform all testing with minimal disruption to the client’s live services, ensuring uninterrupted availability of critical healthcare applications.

Pre-engagement Interactions

Traboda conducted a kick-off meeting with the client to align expectations for the engagement. During the meeting, the agreed-upon scope was reviewed, additional information was gathered, and any IPs or URLs that required whitelisting by the client were identified.

Intelligence Gathering

Intelligence Gathering, also known as Reconnaissance, is the initial phase aimed at evaluating the current maturity level of the targets within the scope. This stage offers valuable insights into how to proceed with the engagement based on the current security posture of the targets. Open-source intelligence (OSINT) will be utilized to gather additional information about the target and name the target uniquely.

Vulnerability Analysis

In this stage, the goal is to identify the flaws and weaknesses of the targets within the scope that a potential attacker could exploit. This phase will be conducted using a combination of automated tools and manual testing, aiming to identify all the vulnerabilities that could be exploited by a potential attacker.

Exploitation

The Exploitation stage goes beyond just identifying vulnerabilities; it focuses on determining whether the discovered vulnerabilities can be exploited and if they can be leveraged to launch an attack on the target. The objective of this stage is to simulate an attack environment that a potential attacker might employ to compromise the target.

Post Exploitation

The inclusion or exclusion of this stage is determined based on the scope agreement established during the pre-engagement interactions. The objective of this stage is to assess the criticality and potential impact of a successful exploitation from an attacker’s perspective.

Critical Vulnerabilities Addressed

• Identified and mitigated 6 critical vulnerabilities, including default credentials, vulnerable components, and missing API authorization.
• Prevented potential exploitation scenarios that could have led to unauthorized access, data breaches, and service disruptions.

Risk Reduction

• Discovered a total of 26 vulnerabilities (6 critical, 12 high, 6 medium, and 2 low).
• Enabled the company to prioritize fixes, starting with the most critical and high-impact vulnerabilities, ensuring efficient allocation of resources.

Strengthened API Security

Highlighted significant gaps in API authorization mechanisms, ensuring these endpoints were secured to prevent unauthorized access to sensitive data.

Improved Infrastructure Security

Addressed misconfigurations in the cloud environment, reducing exposure to remote exploitation and improving compliance with secure deployment practices.

Enhanced Application Security

Mitigated risks stemming from the use of outdated third-party components, preventing potential exploitation of known vulnerabilities.

The cloud infrastructure and applications were thoroughly tested for security vulnerabilities using custom test cases. The vulnerabilities found were reported and fixed. A subsequent retest confirmed that the vulnerabilities were effectively resolved, significantly strengthening the organization’s application and infrastructure security.

Traboda successfully delivered an intensive, practical cybersecurity training program for a government organization. The training focused on blue teaming techniques and was designed to provide participants with real-world, hands-on experience through guided lab exercises and team-based problem-solving.

Duration: The training included one week of online sessions (14 hours) followed by two days of intensive onsite practical sessions (13 hours).

Participation: The workshop was attended by 75 participants with technical expertise ranging from beginner to advanced levels, presenting a challenge in designing content that engaged everyone effectively – a challenge that Traboda promptly addressed.

Format:

• • Online Sessions: Introduced the participants to core concepts in cybersecurity management, system administration, network security, and incident response.
  • Onsite Sessions: Participants were divided into teams and assigned virtual machines (VMs). They worked collaboratively on pre-designed hands-on labs, simulating real-world cybersecurity tasks and scenarios.

Cybersecurity Management

Cybersecurity Policies and Frameworks: Participants explored organizational cybersecurity practices aligned with industry standards such as NIST, ISO/IEC 27001, COBIT, and CIS Controls.

Risk Management and Compliance: The training covered conducting risk assessments, developing mitigation strategies, and maintaining compliance with regulations (GDPR, HIPAA, PCI DSS). Continuous risk monitoring and stakeholder reporting mechanisms were also explored.

Security Audits

Frameworks and Tools: Participants leveraged vulnerability scanning tools, SIEM systems, and open-source software management strategies.

Defensive Tools: Emphasis on the practical use of SIEM tools, intrusion detection/prevention systems, and strategies for managing risks associated with open-source components.

System Administration

OS Hardening: OS Hardening – utilizing scripts to address and patch various vulnerabilities in both Linux and Windows environments.

Backup and Disaster Recovery: Comprehensive insights into implementing backup strategies and disaster recovery plans to mitigate data loss and maintain business continuity.

Network Administration

Secure Server and Device Management: Best practices for updating firmware/software and network traffic analysis using Wireshark. Participants learned to use firewalls and intrusion detection systems to understand how to monitor, analyze, and manage network traffic, identify potential threats, and implement measures to block unauthorized access or malicious activities.

Incident Response and Analysis

Incident Response Planning: Participants gained expertise in incident response, handling procedures, and lifecycle management from detection to post-incident review.

Threat Hunting with SIEM and EDR Solutions: Participants leveraged SIEM and EDR tools to investigate and mitigate threats. The training included recreating attack scenarios inspired by well-known APT groups, enabling participants to practice identifying threats through analysis of Windows logs, firewall logs, filesystem changes, etc. This hands-on approach provided practical experience in leveraging advanced tools for comprehensive threat detection and response.

The hands-on lab exercises included both individual and team-based activities. Each participant or team was assigned a set of VMs to configure and secure based on the provided tasks. The labs covered:

Scenario-Based Exercises

• • Overview of various compliances and frameworks which are used in the industry. Case studies to identify which compliances and frameworks are used in various scenarios, their use cases, and applications.
  • Participants were provided with a Security Information and Event Management (SIEM ) instance, a popular open-source security monitoring tool, to write custom queries and conduct threat-hunting exercises. They worked through 5+ scenarios to identify and fingerprint various attacks that are happening in the endpoints (Linux and Windows) where the agents run. Conducted network traffic analysis using tools like Wireshark, with hands-on labs demonstrating attacks on WEP and WPA.
  • Configuring pfSense firewall and writing snort rules to protect and mitigate threats to a web server: The team members set up the web server and configured pfSense to create an internal network. They then re-configured both pfSense and Snort to stop 3+ attack scenarios safeguarding the web server.
  • Each participant was assigned a vulnerable Linux instance to secure, testing their ability to apply Linux OS hardening techniques, patch vulnerabilities, and implement essential security controls. They then ran a checker script to assess the OS security posture.

Evaluation Process

• • Quizzes: The knowledge gained from the hands-on labs was evaluated, covering topics such as
    • Network analysis techniques.
    • Regulations, compliance, and frameworks.
    • Windows server hardening procedures.
  • Practical Exercises:
    • Participants were assessed on their ability to perform threat hunting using an SIEM instance, demonstrating their understanding of incident response and real-time defense. They were required to write queries to filter specific events that happened within the endpoints.
    • Participants were required to reconfigure pfSense to mitigate additional attack scenarios. This included writing rules in WAN interface, changing the order of rules, writing snort rules, etc.
    • Participants were graded on their technical proficiency in securing a Linux server by mitigating vulnerabilities and applying security best practices.

The hands-on, team-focused training approach by Traboda helped participants gain practical skills and confidence in executing blue team strategies. The combination of theoretical instruction, collaborative lab work, and scenario-based evaluation ensured a well-rounded learning experience.

Knowledge Development

Objective: Enhance understanding of blue teaming principles and compliance standards.

Outcome: Participants grasped defensive cybersecurity strategies (OS hardening, network hardening, incident response strategies) and regulatory frameworks, with quiz results showing an average comprehension rate of 90%.

Practical Skills

Objective: Build hands-on experience in system hardening and vulnerability mitigation.

Outcome: Teams successfully hardened Linux and Windows systems using OS-level scripts and patched over 80% of identified vulnerabilities.

Team Collaboration

Objective: Foster collaboration in real-world threat-hunting exercises.

Outcome: Teams demonstrated effective teamwork, using an SIEM and EDR instance to detect and mitigate threats, scoring an average of 80% in scenario-based evaluations.

Individual Proficiency

Objective: Improve individual technical problem-solving abilities. Outcome: Participants secured vulnerable Linux instances with a 95% success rate, showcasing their ability to apply security best practices independently.

Participants appreciated the hands-on approach and the real-world application of cybersecurity principles. Building on the success of this training, Traboda plans to offer advanced follow-up programs focused on automated threat detection and more complex incident response simulations.

Traboda’s tailored training program effectively strengthened the cybersecurity capabilities of the government organization’s employees. The practical, immersive nature of the training ensured that participants were well-equipped to apply their new skills in real-world cybersecurity operations. The training effectively bridged the gap between theoretical knowledge and practical application, enabling participants to develop and refine their skills in cybersecurity.

Traboda delivered an extensive 80-hour online cybersecurity training for a government organization, designed to enhance participants’ skills in penetration testing, vulnerability assessment, and threat mitigation. The training was interactive, blending theoretical concepts with hands-on labs, real-world case studies, and exercises focused on modern cyber threats and exploits.

The training was designed to align with the participants’ knowledge and experience levels, with a foundational understanding of the following concepts required as a prerequisite:

• Computer Networks
• Web Architecture
• Python Programming

The primary goal of the training was to equip participants with the skills to:

• Identify and exploit vulnerabilities across various systems
• Understand and apply methods to fix and mitigate vulnerabilities
• Conduct end-to-end penetration testing and prepare comprehensive reports
• Gain a deep understanding of exploitation methods and strategies
• Develop strategies to secure Linux and Windows environments, as well as Active Directory infrastructures

1. Foundational Module
   1. Information Gathering
   2. Network Scanning
   3. Enumeration
2. Web Vulnerabilities
   1. OWASP Top 10
   2. Common Web Vulnerabilities
3. System and Exploitation Techniques
   1. Introduction to System Architecture
   2. Linux Buffer Overflows
   3. Windows Buffer Overflows
   4. Locating Public Exploits
   5. Fixing Exploits
4. Advanced Exploitation Techniques
   1. File Transfer and Reverse Shells
   2. Privilege Escalation
   3. Kernel Exploits
   4. Post-Exploitation
5. Specialized Topics
   1. Password Attacks
   2. Introduction to Antivirus
   3. Antivirus Evasion
6. Active Directory
   1. Active Directory Attacks
   2. Active Directory Exploitation
   3. Comprehensive Penetration Testing
   4. Complete Penetration Testing Process
   5. Report Writing

• Hands-On Labs with Focus on Exploitation Techniques

  Participants immersed themselves in advanced exploitation scenarios, prioritizing critical areas like privilege escalation, kernel exploits, and antivirus evasion. These labs were structured to simulate real-world challenges, emphasizing the adversarial perspective and equipping participants with actionable skills.
  Key outcomes included:

  • Exploiting system vulnerabilities through reverse shells and privilege escalation techniques.
  • Understanding kernel exploitation, including the identification and execution of advanced kernel-level attacks.
  • Practical exposure to antivirus evasion tactics, enabling participants to bypass common security measures effectively.

Real-World Scenario-Based Exercises

To enhance applicability, the training included exercises modeled after real-world attack scenarios.

The core activities included:

• • Implementing reverse shell techniques to establish footholds in target environments.
  • Privilege escalation to demonstrate lateral movement within compromised systems.
  • Conducting post-exploitation activities to understand adversary objectives and persistence techniques.

Report Writing
Participants honed their skills in preparing professional penetration testing reports. They learned to structure findings, detail exploitation techniques, and propose robust mitigation strategies tailored to organizational needs. Many noted that this aspect of the training significantly improved their ability to communicate technical findings to non-technical stakeholders, a skill often overlooked in conventional programs.

Understanding and Analyzing CVEs and Exploitation Techniques
A significant portion of the training was dedicated to exploring various Common Vulnerabilities and Exposures (CVEs) and understanding their exploitation techniques. Participants delved into real-world examples of vulnerabilities, examining their root causes and exploitation methods.

Traboda’s training with its focus on real-world relevance and practical application received high praise. Participants valued:

• • Depth of Content: Comprehensive coverage of advanced exploitation techniques provided insights into offensive strategies and their countermeasures.
  • Practical Simulations: Realistic labs allowed participants to hone their skills in a controlled yet challenging environment.

• Enhanced Practical Skills: Participants gained advanced skills in exploitation, including privilege escalation, kernel exploits, and antivirus evasion, enabling them to address complex security scenarios.
• Problem-Solving: The ability to tackle complex security challenges using structured and innovative approaches.
• Improved Communication: Sharpened report-writing skills to bridge the gap between technical teams and management.

Traboda’s training empowered participants with cutting-edge offensive and red teaming techniques and practical experience, bridging knowledge gaps and enhancing their ability to handle real-world cybersecurity challenges. By focusing on advanced exploitation and mitigation, the program significantly contributed to their professional growth and had a positive impact on their organization.

Pentathon 2024 marked a milestone as India’s first national-level Vulnerability Assessment and Penetration Testing (VAPT) exercise of unprecedented scale. Organized by National Critical Information Infrastructure Protection Centre (NCIIPC) in collaboration with All India Council for Technical Education (AICTE), Traboda was chosen as the technology partner to facilitate the event. The event showcased the growing emphasis on
cybersecurity talent development in India. With an impressive turnout and participation, Pentathon 2024 set a new standard for cybersecurity challenges, integrating a comprehensive approach through online qualifiers and a high-stakes onsite finale.

• Stage I: Online Qualifier Round
  • Format: Jeopardy-style Capture
  • The Flag (CTF) competition
• Stage II: Onsite Finals
  • Round 1: Jeopardy-Style CTF
  • Round 2: Simulated VAPT Exercise

The first stage of Pentathon 2024 was a rigorous online qualifier held in March 2024. This phase engaged participants in a jeopardy-style Capture The Flag (CTF) competition, hosted on Traboda’s CTF platform. Participants tackled 27 unique challenges across various categories, including Web and API, Forensics, Reversing, OT (Operational Technology), Pentesting, Android, Binary Exploitation, and more. Traboda developed these challenges to provide an immersive experience. The event statistics speak volumes about its success:

Stage II of Pentathon 2024, held in April 2024 offered in-person mentorship and training led by experts from Traboda and NCIIPC. The onsite round was structured in two parts:

Round 1 (Jeopardy-Style CTF):

Starting at 12:00 PM on the second day, one team and one individual were selected every two hours, culminating in the final selection of 15 teams and 15 individuals. These participants were granted access to the simulated metro system for Round 2. A shared instance of the system was then made available to the remaining teams and participants for Round 2.

Round 2 (Simulated VAPT Exercise)

Objective: Participants engaged in a realistic VAPT scenario hosted on Traboda’s CTF platform, tasked with exploiting vulnerabilities within a simulated metro system. This round required participants to achieve objectives such as gaining Remote Code Execution (RCE) on an IT Administrator’s machine, stopping the train, crashing the train etc.

Evaluation: Conducted by an expert panel from NCIIPC and Traboda, participants
were assessed on their ability to navigate and achieve various milestones within
the metro network environment.

• gement and Reach: The event’s extensive participation highlighted a strong interest in cybersecurity across India, positioning Pentathon 2024 as a benchmark for future VAPT exercises.
• Challenge Design: The balanced difficulty ensured engagement from novice to expert participants, fostering learning and competition.
• Operational Success: The seamless management of high platform traffic and support requests highlighted Traboda’s robust event management capabilities in handling global-level events.

Pentathon 2024 effectively established VAPT as a key competitive activity, contributing to the advancement of India’s cybersecurity ecosystem. With high participation rates, an innovative challenge format, and expert-led evaluations, the event emphasized the importance of skill-building and community engagement in cybersecurity.

Recruiting skilled cybersecurity professionals is a complex challenge, requiring organizations to assess candidates beyond resumes and interviews. To streamline this process, our client, a leading global financial services company, utilized Traboda Arena to host a Capture The Flag (CTF) competition for recruitment. This case study highlights how Traboda Arena provided an efficient, hands-on method to identify and select top cybersecurity talent.

Traditional hiring methods in cybersecurity often rely on certifications, structured interviews, and theoretical assessments. While these approaches help evaluate a candidate’s knowledge, they lack the ability to measure hands-on problem-solving skills in real-world scenarios. Identifying practical expertise, adaptability, and the ability to handle live security challenges remains a bottleneck in hiring cybersecurity professionals.

To address these limitations, we designed and executed a CTF competition tailored to assess candidates’ technical skills in a simulated environment. The event was structured in two phases:

1. Qualifier Round: A multiple-choice questionnaire (MCQ) designed to evaluate foundational cybersecurity knowledge.
2. Final CTF Round: A hands-on challenge-based competition where participants solved real-world security problems across categories like web security, digital forensics, reverse engineering, mobile security, network security, exploitation, cryptography, and secure coding.

The event attracted over 2,000 participants from across India, filtering down to the most skilled individuals through progressively challenging tasks.

• Skill-Based Selection: The competition allowed the client to directly assess practical expertise, ensuring that shortlisted candidates possessed strong problem-solving and technical capabilities.
• Efficient Screening: Compared to traditional hiring processes, which can take weeks, the CTF event identified top candidates within days, accelerating the recruitment timeline.
• Data-Driven Evaluation: Automated scoring, challenge completion rates, and time-to-solve metrics provided objective insights into each participant’s performance.
• Diversity in Talent Pool: Participants came from diverse educational backgrounds, highlighting the potential to discover untapped cybersecurity talent beyond conventional hiring channels.

The client found the CTF-based recruitment process to be significantly faster and more effective than traditional hiring methods. The competition provided immediate results, allowing them to identify top talent without lengthy resume screenings and interview rounds. Additionally, the hands-on nature of the challenges ensured that selected candidates demonstrated real-world problem-solving abilities, making them a perfect fit for cybersecurity roles.

Traboda Arena proved to be a powerful tool in revolutionizing cybersecurity hiring by enabling a practical, efficient, and data-driven approach to candidate selection. The CTF-based method not only streamlined the recruitment process but also ensured that candidates possessed real-world problem-solving skills. As cybersecurity challenges grow, leveraging gamified assessments through Traboda Arena will continue to be an innovative strategy for hiring the best talent in the field.

A leading consumer products company sought to assess the security posture of its supply chain by conducting a supply chain red team assessment. The objective was to evaluate security gaps in a third-party manufacturing site and its connectivity to the company’s internal IT environment. The assessment followed a zero-knowledge approach, simulating real-world attack scenarios to identify potential vulnerabilities and areas for improvement.

The assessment focused on:

• Identifying potential network paths between the organization’s network and the third-party manufacturing site.
• Assessing network reachability from the third-party site to the organization’s internal infrastructure.
• Discovering vulnerabilities in network devices and configurations that could be exploited to gain unauthorized access.

During the engagement, several critical security weaknesses were identified:

1. Unauthorized LAN Access

The team identified that the internal network lacked proper access controls, allowing unauthorized machines to connect to the LAN. By locating an open Ethernet port and requesting a DHCP lease, an attacker could obtain an IP address without authentication. This provided direct access to internal network resources, allowing the attacker to conduct reconnaissance, sniff network traffic, and pivot to other systems.

2. Insecure Wi-Fi Configuration

The enterprise Wi-Fi network was found to be vulnerable to unauthorized access due to weak authentication mechanisms. Using a rogue access point attack, the team was able to capture WPA2 handshakes and crack network credentials. Furthermore, inadequate rogue access point detection left the network exposed to man-in-the-middle (MITM) attacks, allowing attackers to intercept sensitive data.

3. Weak Application Security

Several critical applications, including a Tomcat server, were running with default administrative credentials. This allowed the red team to log in with commonly known default credentials and gain control over the applications. From this foothold, attackers could manipulate configurations, upload malicious payloads, and escalate privileges to access sensitive business data.

4. Exploitable Windows Protocols

The assessment revealed that Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) were enabled on multiple systems, making them susceptible to spoofing attacks. By deploying a Responder tool on the internal network, the team was able to capture NTLMv2 hashes from authentication requests. These hashes could then be cracked using brute-force techniques or relayed to escalate privileges and gain unauthorized access to internal resources.

5. Weak Password Policy

Multiple user and administrator passwords were found to be weak and easily guessable, that could be found on any commonly known password list. Our team successfully captured authentication hashes from both Wi-Fi and LAN traffic and cracked them using dictionary attacks. Poor password hygiene, coupled with inadequate enforcement of strong password policies, significantly increased the risk of credential theft and unauthorized access.

6. Insecure Active Directory Management

The organization had an excessive number of domain administrator accounts, some of which had weak or easily guessable passwords. Additionally, several service accounts were found to have privileged access and were being used in multiple locations across the network. This widespread presence of privileged accounts increased the risk of lateral movement and privilege escalation attacks.

7. Lack of Multi-Factor Authentication (MFA)

The team was able to compromise an Office 365 administrator account due to the absence of two-factor authentication (2FA). This provided unauthorized access to emails, confidential files, and administrative tools. Without MFA, attackers could use stolen credentials to maintain persistent access to critical systems without detection.

8. Exposure of Building Management Systems (BMS)

The assessment revealed that the Building Management System (BMS) interface was accessible from the Wi-Fi network without authentication. This meant an attacker with access to the network could manipulate critical infrastructure, such as HVAC, lighting, and security controls, potentially leading to operational disruptions.

9. Surveillance Cameras with Weak Passwords

Multiple surveillance cameras were found to be using default or weak passwords, allowing unauthorized access to live video feeds. By connecting to the Wi-Fi network and identifying the IP addresses of these cameras, the team was able to log in and access real-time footage. This posed a serious security risk, as attackers could monitor employee movements and security procedures, facilitating physical intrusion attempts.

10. Legacy Wi-Fi Devices with Weak Authentication

A legacy Wi-Fi device, which was no longer in use, was still active within the network and had a weak default password. This device provided an unexpected entry point for attackers, enabling them to gain unauthorized access to the corporate network. Once inside, an attacker could launch man-in-the-middle attacks, intercept sensitive communications, or use the network as a pivot point for further exploitation.

Following the assessment, we worked closely with the organization to mitigate the identified vulnerabilities. A structured remediation plan was developed and implemented, addressing each issue systematically:

• Network security enhancements: Implemented robust network access controls (NAC), disabled insecure Windows protocols, and enforced strong authentication mechanisms for Wi-Fi and LAN access.
• Application security hardening: Updated configurations to remove default credentials, applied access control policies, and enforced strong password policies across all critical applications.
• Active Directory security improvements: Reduced the number of privileged accounts, implemented Privileged Identity Management (PIM), and enforced multi-factor authentication (MFA) for administrative users.
• Infrastructure security upgrades: Restricted access to the Building Management System (BMS), secured surveillance camera configurations, and decommissioned outdated Wi-Fi devices.

By implementing these security measures, the organization significantly improved its security posture, mitigating risks posed by third-party integrations and strengthening its defenses against real-world cyber threats. This engagement highlights the critical importance of proactive security assessments in identifying and remediating vulnerabilities before they can be exploited by malicious actors.

Traboda hosted the 2023 Digital Defenders CTF on its Arena platform. The event was sponsored by Cisco India CSR and conducted by CySecK- the Karnataka TechCenter of Excellence for Cyber Security along with the Indian Institute of Science’s Centre for Network Intelligence, Bengaluru. Traboda partnered with team bi0s, Indiaʼs No.1 Ranked CTF team to develop the challenges, manage the platform and provide support during the CTF.

Established in 2017 by the Government of Karnataka, the Centre of Excellence in Cybersecurity (CySecK) aims to foster a cyber-safe environment, facilitate industry collaboration, address skill gaps, and promote innovation in the rapidly evolving field of cyber-security. Located within the prestigious Indian Institute of Science (IISc) Bangalore, CySecK regularly conducts high-quality training programs in cyber-security.

This year, CySecK partnered with the Centre for Networked Intelligence (CNI) at the Indian Institute of Science, Bengaluru, an initiative sponsored by Cisco Systems India Pvt. Ltd.’s CSR, to organize the Digital Defenders Master Class and Capture the Flag (CTF) programme.

Cisco India, a steadfast supporter of cyber-security initiatives nationwide, has previously sponsored the Amrita InCTF organized by Team bi0s and collaborated with the founders of Traboda to conduct the Attack-Defense CTF at their AJPC SecCon. As a result, Traboda and Team bi0s, with over a decade of experience organizing CTFs, were selected as natural partners for the initiative.

The Digital Defenders Masterclass programme featured webinars across various domains of cybersecurity including network security, web security, forensics, and cryptography spread over the month of June, and was taken by experts from the industry, Cisco India, and the members of team bi0s. To conclude the programme, and put the skills learnt during the training to test, the 76-hour Digital Defenders CTF was conducted from July 6 to 9th.

The Digital Defenders CTF, hosted on the Traboda Arena platform by teambi0s, who also prepared a great set of challenges for it, was open to top Indian students, who qualified for it after their participation after their participation in the webinars conducted earlier.

The virtual CTF event boasted an impressive prize pool of 4 lakhs INR (~ 5,000 USD) and offered internship opportunities with partner organizations such as Cisco. Consequently, concerns arose regarding the potential for participants to engage in cheating by sharing and trading flags with one another. This issue is prevalent and challenging to prevent in CTF events, particularly when they serve as recruitment drives or offer substantial rewards. In such cases, participants’ motives may shift from learning and skill development to solely pursuing prizes and opportunities.

However, our team consisting of veteran CTF players had developed the Traboda Arena platform, drawing from over 5 years of experience hosting international and corporate CTFs. Arena was innovated ground up to prevent, detect and report incidents of flag sharing and trading, and was deployed with these advanced anti-cheat mechanisms for the CTF.

Arena comes out of the box with various mechanisms that help organizers to prevent various types of cheating in CTFs. Here are a few ways in which Arena is able to ensure fairness, and prevent cheating in CTFs it hosts –

• Unique Flag Generation – For challenges that have a deployment (such as web, pwn etc.), Arena can deploy an on-demand individual instance for every participant, each embedded with their own individual unique flag. No two participant instances, thus participants, are set the same flag for a challenge, and therefore, copying a flag from another participant not just becomes futile, but also triggers an incident easily capturing both the sharer and the copier.
• Auto Submitting Challenge – Authors can write their challenge application to have server-side submission or validation of solve that gets trigged from the challenge instance when a certain vulnerability/bug has been successfully found/exploited by the participant. Thus, there is no need for the participant to submit the flag, or in fact to print out the flag. Hence, in the absence of a flag, there is nothing a participant can share or trade with others.
• Smart Activity Monitoring – Arena extensively logs all kinds of activity that participant performs on the platform, such as when a challenge attachment is downloaded, deployment is opened, etc. This is then processed to detect and report unusual incidents like a correct flag submission for a challenge, where the participant has not yet downloaded the attachment – which could be a result of flag sharing.

With the above features in place and the challenges authored by team bi0s taking the full leverage of the platform, we could detect around 115 instances of flag sharing. The organizing team members could easily find them from the logs page in the admin panel of Arena and take appropriate actions.

To maintain fairness among participants, the organizers issued a warning about the ongoing flag sharing and insisted that it must be stopped. Unaware of the automated detection system in place, some participants continued to trade flags, mistakenly believing that we were issuing warnings after catching a few through manual reporting.

As the CTF progressed, organizers received messages from some participants, revealing that a few desperate individuals were asking for flags and attempting to trade with them. This is a common issue, but often organizers can do little more than warn these individuals. However, Adhithya from team bi0s devised an intriguing solution: distributing fake flags, or honeypots, to the reporters and encouraging them to share them with those seeking flags. Here’s how this technique works:

1. Participant A reports to the Admins about B asking for a flag for challenge X
2. Admin generates and sets up a honeypot flag for challenge X, gives it to participant A and asks to share it with B.
3. Unaware that it is a honeypot, Participant B submits the fake flag and receives points for it.
4. In the Admin panel’s submissions view, the Admin can now clearly see Participant B’s submission of the fake flag. Since this flag cannot be obtained legitimately by solving the challenge, it is evident that it was shared by Participant A with Participant B, proving flag sharing.
5. Armed with this evidence, the Admin confront Participant B and bans them for violating the competition rules.

By the end of the CTF, with these measures, 20 participants were banned and disqualified from the contest. To make the process transparent, the organizers exported the flag-sharing logs out of the platform and shared them in the telegram group of the contest, so that they could see the evidence we were having.

The CTF went on to become a great success with over 54% of registered participants getting into the scoreboard, and all the challenges getting a good number of solves.

By leveraging the Traboda Arena platform’s advanced anti-cheat mechanisms and the expertise of team bi0s, the Digital Defenders CTF was able to maintain a fair and competitive environment for all participants. This ensured that the focus remained on learning and skill development, rather than simply pursuing prizes and opportunities. The success of the event demonstrates the importance of investing in robust platforms and collaborating with experienced partners to create high-quality cyber-security training experiences.

Events like the Digital Defenders CTF play a crucial role in shaping the future of cyber-security. By training young adults in different types of cyber-security violation scenarios, such events help create a pool of skilled professionals who can tackle the growing threat of cyberattacks.

With the rise of digitization and increasing dependence on technology, cyber-security has become one of the most critical areas for businesses and governments alike. However, there is a significant shortage of skilled professionals in this field. Events like Digital Defenders CTF can help bridge this gap by encouraging young adults to pursue careers in cyber-security.

Moreover, events like these provide an opportunity for participants to learn from industry experts and gain hands-on experience through practical challenges. This exposure to real-world scenarios helps participants develop a deeper understanding of the challenges faced by cyber-security professionals and equips them with skills that are relevant to their future careers.