Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms

The second edition of Pwn2Own Miami has thrown up dozens of previously undiscovered exploits to industrial control systems, earning security researchers pay-outs of $400,000 in the process.

Pwn2Own Miami followed a similar format to more established hacking contests from Trend Micro’s Zero Day Initiative but with a different focus around industrial control systems (ICS) rather than computers or mobile devices.

At the end of the three-day event, Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from team Computest Sector 7 were crowned Master of Pwn with 90 points and $90,000.

Other researchers and bug bounty hunters successfully demonstrated previously unknown zero-day vulnerabilities in industrial control platforms during the event, which organizers hailed as an unqualified success.

Dustin Childs, communications manager for Trend Micro’s ZDI program, told The Daily Swig: “The contest this year was three days of great research put on display. We awarded $400,000 for 26 unique exploits.

“Our inaugural competition awarded $280,000, so it was great to see the contest grow – especially after being delayed due to the pandemic.”

A variety of clever and subtle attacks against industrial control systems were developed for and showcased during the event.

On the web security front, Sam Thomas, director of research at UK security consultancy Pentest, was straight out of the raps on the first day in demonstrating an authentication bypass and a deserialization bug to achieve code execution on the Inductive Automation Ignition SCADA control software platform.

The contest was a worthwhile exercise for participants, according to Thomas.

Thomas told The Daily Swig: “As always [it was] a fun contest with interesting targets. [ I was] lucky to be drawn first, but seems like there weren’t many duplicates on this particular target which is interesting to see, hopefully [I will] scope to find something else for next year.”

Other researchers took a variety of other platforms apart, as detailed in a full run-down of the contest put together by ZDI.

Childs said: “One highlight was the bypass of the trusted application check in the OPC Foundation OPC UA .NET Standard by the Computest team. Not only does the bug have a broad impact, it’s one of the best submissions we’ve ever seen at a Pwn2Own event.”

“Others that stood out were the buffer overrun used by Claroty Research against Kepware KEPServerEx and the double-free bug used by Axel ‘0vercl0k’ Souchet against Iconincs Genesis64,” they added.

Further editions of the ICS-focused edition of the wider Pwn2Own roster are in the works. Trend Micro ZDI told The Daily Swig that it wanted to build momentum behind the event by persuading more industrial control system vendors to become more closely involved.

“We saw some amazing exploits, and I know vendors are already hard at work developing patches for the bugs we disclosed to them,” Childs said.

Advertisement. Scroll to continue reading.

“We are pleased with the growth we saw this year, and we’d love to see that continue. Ideally, we can partner with more vendors within the ICS/SCADA community to ensure we have the right targets and get them the best bugs possible to fix before they are exploited by threat actors.”

Source: https://portswigger.net/daily-swig/pwn2own-miami-hackers-earn-400-000-by-cracking-ics-platforms

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO