Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Pwn2Own. Show all posts
SQL Injection
Cyber Attacks Ethical Hacking Pwn2Own QNAP SQL Injection

Hacking Contest: How QNAP Overcame Critical Zero-Day Flaws


One recent event that highlights the relentless pace of this digital arms race is QNAP's swift action to patch a second zero-day vulnerability. QNAP has addressed a second zero-day vulnerability that was exploited by security researchers during the recent Pwn2Own hacking contest.

The critical SQL injection (SQLi) flaw, identified as CVE-2024-50387, was discovered in QNAP's SMB Service. This vulnerability has now been patched in versions 4.15.002 or later and h4.15.002 and later. The fix was implemented a week after researchers YingMuo, participating through the DEVCORE Internship Program, successfully exploited the flaw to gain root access to a QNAP TS-464 NAS device at Pwn2Own Ireland 2024.

The Pwn2Own Competition

The Pwn2Own competitions are legendary in cybersecurity circles. These events invite the brightest ethical hackers from around the globe to demonstrate their skills by identifying and exploiting vulnerabilities in widely used software and hardware. The stakes are high, with significant monetary rewards and prestige on the line. The ultimate goal, however, is to strengthen the security of the products we rely on daily by exposing and rectifying their weaknesses.

At the 2024 Pwn2Own Ireland event, a critical vulnerability was uncovered in QNAP's HBS 3 Hybrid Backup Sync software, an essential tool for users seeking to secure their data through backup solutions. This vulnerability, identified as CVE-2024-50388, was an OS command injection flaw that allowed attackers to execute arbitrary commands on the host system. In simpler terms, this flaw could enable unauthorized individuals to gain root access to QNAP NAS devices—a severe security breach.

QNAP's Response

Upon learning of the exploit, QNAP's response was both prompt and thorough. The company's immediate actions underscore the importance of rapid response in cybersecurity. They quickly released a security patch to address the vulnerability, mitigating the risk to their users. This quick turnaround is crucial because the longer a vulnerability remains unaddressed, the greater the potential for malicious exploitation.

The patch not only protects users from potential attacks but also reinforces trust in QNAP's commitment to security. For any company in the tech space, maintaining user confidence is paramount, and QNAP's decisive action in patching the vulnerability goes a long way in assuring their user base.

Vigilance is Must

This incident with QNAP's HBS 3 software offers the importance of regular software updates and patches. Users must diligently apply updates to protect their systems against known vulnerabilities. Companies must maintain robust monitoring and response mechanisms to swiftly address any emerging threats.

Events like Pwn2Own stress the value of collaboration between tech companies and the ethical hacking community. By working together, they can identify and fix vulnerabilities before they can be exploited by malicious actors. This proactive approach to cybersecurity is essential in a world where the threat landscape is continually evolving.

Read more »
spying
Apple China Cyber Security iPhone Pwn2Own spying

An Award-Winning iPhone Hack Used by China to Spy on Uyghur Muslims

 

According to a recent article, the Chinese government used an award-winning iPhone hack first uncovered three years ago at a Beijing hacking competition to spy on the phones of Uyghur Muslims. The government was able to successfully tap into the phones of Uyghur Muslims in 2018 using a sophisticated tool, according to a study published Thursday by MIT Technology Review. 

For years, the US government and other major technology firms have recognized that China has been waging a violent campaign against ethnic minorities using social media, phones, and other technologies. The movement also attacked journalists and imitated Uyghur news organizations. 

According to MIT Technology Review report the hacking vulnerability was discovered during the Beijing competition. The Tianfu Cup hacking competition began in November 2018 in China as a way for Chinese hackers to discover vulnerabilities in popular tech software. According to the paper, the competition was modeled after an international festival called Pwn2Own, which attracts hackers from all over the world to show technical bugs so that marketers can discover and patch defects throughout their goods. 

However, China's Tianfu Cup was designed to enable Chinese hackers to show those vulnerabilities without exposing them to the rest of the world. According to the paper, this will enable the Chinese government to use those hacking methods found at the event for their own purposes. 

The very first event took place in November of 2018; Qixun Zhao, a researcher at Qihoo 360, won the top prize of $200,000 for demonstrating a remarkable chain of exploits that helped him to easily and reliably take control of even the newest and most up-to-date iPhones. He discovered a flaw in the kernel of the iPhone's operating system, originating from inside the Safari web browser. 

What's the end result? Any iPhone that accessed a web page containing Qixun's malicious code might be taken over by a remote intruder. It's the type of hack that could be traded on the black market for millions of dollars, allowing hackers or governments to spy on huge groups of people. It was given the name "Chaos" by Qixun. 

Apple patched it two months later, but an analysis revealed that it had been used by the Chinese government to hack Uyghur Muslims' iPhones in the interim. After US surveillance found it and confirmed it to Apple, the company released a low-key press release acknowledging it, but the full scale of it wasn't understood until now.
Read more »
zero Day vulnerability
Pwn2Own Tesla zero Day vulnerability

Hackers won Tesla model 3 after hacking into their infotainment system



A group of hackers won $35000 and a Tesla model 3 car after they managed to crack into security systems at a hacking event held last week.

During the hacking competition Pwn2Own 2019 organized by  Trend Micro's "Zero Day Initiative (ZDI)", two hackers Amat Cama and Richard Zhu of team Fluoroacetate exposed a vulnerability in Tesla model 3.

According to a report by  Electrek on Saturday, the hackers attacked the infotainment system of the Tesla model 3 and exploited "JIT bug in the renderer" to take control of the system.
"Since launching our bug bounty programme in 2014, we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community," said David Lau, who is vice-president of vehicle software at Tesla.

So many bounty programs have been organized by the Tesla over the last four years to expose the vulnerabilities in the Tesla cars and have given thousands of dollars to hackers who have successfully found out the tweaks in the system.

David Lau, further added “We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us. Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle– we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community. We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems”






Read more »
Subscribe to: Posts (Atom)