Posted on March 23, 2023 at 4:31 PM
Zero-day hackers hack tech giants in a $1 million hacking competition
Tech giants are not immune to hacking attacks that can cause significant havoc on the users that rely on these companies. Some of the most prominent hackers might target these companies, which usually have a reputation for having robust security controls. However, according to the Pwn2Own Vancouver 2023 hacking competition, these companies are not immune to hacking attacks.
Tech giants are vulnerable to a zero-day exploit
The Pwn2Own hacking competition started yesterday, and some exciting developments are already being reported. On the first day of the competition, tech giants were exposed to being vulnerable to elite hackers.
As soon as the competition started, some of the biggest tech companies had already fallen to some of the most sophisticated zero-day security exploits. The tech giants in question include Apple, Ubuntu, Adobe Reader, Microsoft SharePoint, Microsoft Windows 11, Apple macOS, and Oracle VirtualBox.
The Pwn2Own Vancouver 2023 hacking competition will run until March 24. It is set to award the best elite hackers and expose security vulnerabilities that bad threat actors could exploit.
This competition attracts the best hackers worldwide, with the winners walking away with over $1 million. On the first day, $375,000 was awarded to the hackers that participated in the event. The rest of the days will see the Microsoft Teams and VMWare Workstation being tested, and serious security weaknesses could be uncovered.
The Pw2Own global hacking event is organized by Trend Micro Zero-Day Initiative (ZDI). This event has been ongoing since 2005. The event attracts the participation of some of the best hacking teams globally. The hackers compete against each other and against pre-determined tech targets using zero-day exploits that have not previously been identified.
The hacking competition is intense because it includes a timeframe for a hacker to complete a hacking exploit. The bounty hunting hackers and cybersecurity professionals have a limited time within which they have to gain entry to the target in question by exploiting a zero-day bug.
The success of a hacker in this event is rewarded gradually. The successful hackers are rewarded with points later added to the Masters of Pwn leaderboard. Moreover, the nature of this competition should not be underestimated because it attracts some of the best hackers globally. These hackers receive handsome payments for their participation and successful exploitation.
Given the nature of this competition and the large tech giants that participate in the event, the prize fund surpasses $1 million. This prize fund goes away to the hackers who proved their skills superior to the other participants.
Hacking competition benefits tech giants
Hacking attacks can usually cause significant harm to individuals and companies. Given the sensitive nature of tech companies, most choose to partake in these competitions to ensure they remain proactive.
Each vulnerability exploited by the zero-day hacker participating in the competition is turned over to the vendor so they can patch the issue. A patch will be issued to the vulnerability before it is disclosed to the public.
The bug will not be disclosed to the public until a patch is released to ensure that bad threat actors do not exploit it. ZDI, the event organizer, does not sell or redistribute any of the zero-day exploits. The nature of this competition shows that besides allowing hackers to prove their skills, it also allows tech companies to patch any significant issues that would otherwise cause them harm.
One of the teams that participated in this competition is known as Synacktiv. These hackers breached the Apple macOS kernel using an elevation of privileges attacks and the Tesla Gateway. The team used a time-of-check-to-time-of-use (TOCTOU attack to conduct the exploits. These hackers won $140,000 and a Tesla Model 3.
The other team that also conducted a successful exploit was STAR Labs. The team completed a chained exploit against Microsoft SharePoint. They also used a previously known exploit to target the Ubuntu desktop. The team won $115,000.
Adobe Reader was also exploited by AbdulAziz Hariri from Haboob SA. The hacker gained entry to Adobe Reader using a six-vulnerability chain exploit that allowed them to escape the Adobe Sandbox. This hacker won $50,000. Bien Pham from Qrious Security also conducted a successful exploit against Oracle VirtualBox and won $40,000. Marcin Wiazowski also executed multiple privileges attacks targeting Windows 11. This exploit delivered a winning of $30,000.