The XP Cyber Blog

5 days ago2 min read

The NICE Challenge Project is Now XP Cyber!

Updated: 10 hours ago

Why We Rebranded

After a decade as the NICE Challenge Project, we have rebranded to Experience Cyber, or XP Cyber for short. This rebranding is meant to better encompass all the different work we do in the cyber education space and recognize that after ten years, we are not just a "project" anymore. As part of this effort, we have rebranded the NICE Challenge Webportal to the XP Cyber Range and the NICE Challenge Helpdesk to the XP Cyber Support Portal.

What Has Changed

New Logo

A new logo to match our new brand!

New Official Names, URLs, & Email Addresses

NICE Challenge Name, URL, or Email	XP Cyber Name, URL, or Email
NICE Challenge Project	Experience Cyber / XP Cyber
nice-challenge.com	xpcyber.com
NICE Challenge Webportal	XP Cyber Range
portal.nice-challenge.com	range.xpcyber.com
no-reply@nice-challenge.com	no-reply@xpcyber.com
NICE Challenge HelpDesk	XP Cyber Support Portal
nicechallenge.freshdesk.com	xpcyber.freshdesk.com

New Platform (Cyber Range) Email Address

The XP Cyber Range sends emails using a new platform email address: no-reply@xpcyber.com. Curators and players must be able to receive these emails to set up their accounts, reset their passwords, receive assignment and workspace notifications, and receive any other non-support emails.

If your institution requires email addresses to be whitelisted before your Curators or Players can receive emails from them, you will need to have the new platform email address, no-reply@xpcyber.com, whitelisted before you can start using the XP Cyber Range. To ensure users affected by this change can transition smoothly, the NICE Challenge Webportal will continue to operate and use the old platform email address, no-reply@nice-challenge.com, until the Summer of 2025.

What Didn't Change

User Accounts, Passwords, & Account Data

All user accounts (i.e., Players, Curators, and Overseers) from NICE Challenge Webportal can be used to log in to the XP Cyber Range using the same login credentials. Additionally, all NICE Challenge Webportal account data associated with those user accounts (e.g., assignments, submissions, player rosters, player groups, signatures, workspaces, seat credits, etc.) is available on the XP Cyber Range.

All user accounts from the NICE Challenge HelpDesk have transitioned to the XP Cyber Support Portal and can be accessed using the same login credentials. Additionally, all NICE Challenge Helpdesk account data associated with those user accounts (e.g., support tickets) has transitioned to the XP Cyber Support Portal.

The Challenge Catalog

All the challenges (including threat sandboxes) and environments available in the NICE Challenge Webportal at the end of 2024 are available on the XP Cyber Range.

The Team, Mission, & Price

Rest assured, just because we changed our branding does not mean we have changed. We are still the same dedicated leadership, engineering, and support teams at California State University, San Bernardino, committed to delivering students and educators across the United States the cyber workforce experience before the workforce, at scale, year-round, and for free.

Questions?

If you have any questions or concerns about our rebranding, please contact us on the XP Cyber Support Portal.

Dec 25, 20243 min read

Introducing the CISA Threat Sandbox Challenges!

Today, we are thrilled to unveil and introduce our latest set of Challenges, the CISA Threat Sandbox Challenges! Over the past year, we have had the privilege of collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to develop twelve (12) hands-on purple team (combination of red and blue teams) style cyber challenge exercises.

Each CISA Threat Sandbox Challenge revolves around a Common Vulnerability & Exposure (CVE) that has been included in the CISA Known Exploited Vulnerabilities (KEV) Catalog. Participants are provided with authoritative sources of information related to the chosen CVE and are tasked with using their offensive and defensive cyber skills to accomplish two objectives: one red team (e.g., exploit and exfiltrate, exploit and deploy C2-enabled malware, etc.) and one blue team (e.g., patch vulnerable software, implement mitigations, etc.). The participant will complete these objectives in a virtual environment that includes systems tailored to the needs of the CVE and contextualized as systems being used by organizations and businesses within a critical infrastructure (CI) sector.

Below you can see the virtual environment network map for the CISA Threat Sandbox Challenge: Apache Proxy4All (CVE-2021-40438).

Network Map of the Threat Sandbox Mission Space

CISA Threat Sandbox Challenge Highlights

As mentioned earlier, we are launching twelve (12) CISA Threat Sandbox Challenges. We highly recommend that you explore all of them on the XP Cyber Range (Curator Account Required). Below, we have highlighted two of these challenges to give you a glimpse of what to expect.

CISA Threat Sandbox Challenge: UnRAR v Zimbra (CVE-2022-30333)

In this CISA Threat Sandbox Challenge the participant will learn about CVE-2022-30333, a seemingly unassuming directory traversal and arbitrary write vulnerability in a simple file extracting application, and then exercise that knowledge along with their offensive and defensive cyber skills. After learning about the CVE, they will be asked to complete two technical objectives, one red team (offensive) and one blue team (defensive), related to the CVE:

Red Team (Offensive) Objective: Utilize CVE-2022-30333 to start a multi-step exploit chain to deploy command and control (C2) enabled malware on a system running a vulnerable UnRAR version as part of a Zimbra Collaboration Suite instance used by an information technology (IT) business (i.e., the red target system).
Blue Team (Defensive) Objective: Patch CVE-2022-30333 to safeguard a system running a Zimbra Collaboration Suite instance used by an information technology (IT) business (i.e., the blue target system).

CISA Threat Sandbox Challenge: Apache Proxy4All (CVE-2021-40438)

In this CISA Threat Sandbox Challenge the participant will learn about CVE-2021-40438, a dangerous server-side request forgery (SSRF) vulnerability, and then exercise that knowledge along with their offensive and defensive cyber skills. After learning about the CVE, they will be asked to complete two technical objectives, one red team (offensive) and one blue team (defensive), related to the CVE:

Red Team (Offensive) Objective: Utilize CVE-2021-40438 to exploit a vulnerable Apache web server-based remote site VPN appliance (i.e., the outer red target system) to perform recon on a typically externally inaccessible ICS/OT system (i.e., the inner red target system), where all of the involved systems are operated by an energy utility company.
Blue Team (Defensive) Objective: Patch CVE-2021-40438 on a vulnerable Apache web server-based remote site VPN appliance (i.e., the blue target system) to safeguard the ICS/OT network the appliance guards access to, where all of the involved systems are operated by an energy utility company.

This environment and challenges were created through a partnership with and funding provided by CISA.

Dec 25, 20242 min read

Introducing the Industrial Control Systems Environment & Challenges!

Welcome to our newest environment, Zapp Public Power. This industrial control system (ICS) themed environment brings to life an electrical substation at a power utility. The challenges within this environment allow players to experience on-demand cybersecurity work roles, performing some of their core tasks within an ICS context.

Creating this environment has taken months of research, designing, planning, and engineering. We collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) and subject matter experts from multiple US national labs in order to craft a virtualized, realistic substation and create cybersecurity challenges based on issues both dire and common to ICS in the real world.

Zapp Public Power Environment

Zapp Public Power is a fictional power utility that operates the power grid for various stakeholders, including residential customers and critical infrastructure (e.g., manufacturing, hospitals, schools, etc.). This environment specifically actualizes one of Zapp Public Power's primary electrical substations. To bring this substation to life, we created a simulation that could emulate the ICS sensors and equipment typically found in a substation, as well as two custom applications that allow one to directly view and alter the state of the ICS sensors and equipment. To further the depth of realism, we designed the ICS sensors and equipment simulation to mimic a programmable logic controller (PLC), enabling the substation to be monitored and interacted with via standard ICS applications (e.g., openHistorian) and protocols (e.g., Modbus).

Players will receive tasks and information from fictional characters representing various roles within the industry, such as electrical engineers, management staff, and cybersecurity professionals, when attempting challenges in this environment.

Zapp Public Power Challenge Highlights

At present, the Zapp Public Power environment offers six different challenges. And while we highly recommend that you check out all six of them on the XP Cyber Range (a Curator account is required), we have highlighted two of the challenges below to give you an idea of what to expect in this new environment.

Challenge: Alarmingly Available ICS: Analysis & Report

An anonymous report, concerning public exposure of a Zapp Power substation's camera feed and controls, has confirmed two Zapp Power electrical engineers' eerie feelings that they were being watched while performing on-site maintenance at Zapp Substation 434. The player is tasked with reviewing and reporting anything, camera included, that is publicly exposed at Zapp Power Substation 434, so the exposures can be corrected by Zapp Power HQ staff.

Challenge: Cyber De-energizer: VPN Credential Stuffing

A recent security breach at a credit union used by many Zapp Power employees has allowed an unknown attacker to perform a successful credential-stuffing attack against Zapp Substation 434's VPN. Once inside, the attacker accessed the substation's Human Machine Interface (HMI) and shut down the outgoing power from the substation, plunging customer neighborhoods into darkness. The player is tasked with discovering the compromised VPN account, updating the compromised password, and bringing the power back online.