Hackers at Pwn2Own earn $400K for zero-day ICS exploits
Reading Time: 2 Minutes
Pwn2Own Miami 2022 has ended with competitors earning $400,000 for 26 zero-day exploits (and several bug collisions) targeting ICS and SCADA products demoed during the contest between April 19 and April 21.
Security researchers targeted multiple production categories: Control Server, OPC Unified Architecture (OPC UA) Server, Data Gateway, and Human Machine Interface (HMI).
“Thanks again to all of the competitors who participated. We couldn’t have a contest without them,” Trend Micro’s Zero Day Initiative (ZDI) said today.
“Thanks also to the participating vendors for their cooperation and for providing fixes for the bugs disclosed throughout the contest.”
After the security vulnerabilities exploited during Pwn2Own are reported, vendors are given 120 days to release patches until ZDI publicly discloses them.
#Pwn2Own Miami wraps up. We awarded $400,000 over the 3 days for 26 unique exploits (and a few bug collisions). We'll be on Stage 2 of #S4x22 to award the Master of Pwn trophy and jackets to @daankeuper & @xnyhps from @sector7_nl who earned 90 points (and $90K!).
— Zero Day Initiative (@thezdi) April 21, 2022
Winners awarded $90,000
The winners of the Pwn2Own Miami 2022 event are Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl).
During day one, they earned $20,000 after executing code on the Inductive Automation Ignition SCADA control server solution using a missing authentication weakness.
The same day they used an uncontrolled search path vulnerability to gain remote code execution (RCE) in AVEVA Edge HMI/SCADA software and were awarded $20,000 for their efforts.
On the second day, Computest Sector 7 exploited an infinite loop condition to trigger a DoS state against the Unified Automation C++ Demo Server and earned $5,000.
Last but not least, on day two of Pwn2Own Miami 2022, the team bypassed the trusted application check on the OPC Foundation OPC UA .NET Standard and added $40,000 to their awards stash.
They won the Master of Pwn title after earning a total of $90,000 during the three days of the contest and getting the first spot on the leaderboard with a total of 90 points.
This year’s Pwn2Own Miami took place at the S4 conference in Miami South Beach in person and also allowed remote participation.
During the first edition of the ICS-themed Pwn2Own Miami, held back in January 2020, ZDI awarded $280,000 for 24 unique zero-day vulnerabilities in ICS and SCADA products.
You can watch a recording of the Computest Sector 7 (@sector7_nl) team targeting the OPC Foundation OPC UA .NET Standard below.
ZDI described their attempt as exploiting “one of the more interesting bugs we’ve ever seen at a Pwn2Own.”
See Also: Recon Tool: Smap
See Also: Write up: Hacking is an art, and so is subdomain enumeration.
Source: bleepingcomputer.com
Source Link
Recent News
Glove Stealer Malware Evades Chrome’s App-Bound Encryption to Target Cookies
New RustyAttr Trojan Evades macOS Security Using Hidden Metadata
GoIssue: Sophisticated Phishing Tool Targets GitHub Developer Credentials
New Ymir Ransomware Launches In-Memory Attacks Post-RustyStealer Infections
North Korean Hackers Deploy MacOS Malware with Unseen Stealth to Hijack Crypto Firms
Winos4.0 Malware Framework Uses Gaming Apps to Infiltrate Windows Systems
CRON#TRAP Phishing Attack: A Linux VM Backdoor Hides Inside Windows Systems
New Interlock Ransomware Exploits FreeBSD servers, Demanding Huge Ransoms
New Version of iOS Spyware LightSpy Adds Device-Disabling Capabilities
Opera Browser ‘CrossBarking’ Vulnerability Could Enable Full Access to Private APIs
