Exploiting industrial network vulnerabilities, Vietnamese engineers have achieved impressive results at Pwn2Own

Tram Ho

Pwn2Own is a famous cyberattack competition, sponsored by Trend Micro and organized by the Zero Day Initiative. This annual event aims to find unknown security holes for hackers around the world. The competition this time took the theme of industrial networking and was held in Miami, with four categories: OPC Unified Architecture Server (OPC UA server), OPC UA Client, Data Gateway and Edge Systems. Although this is the first time participating in the competition, the ECQ technical team successfully exploited two zero-day vulnerabilities, reaching a total of 25 Master of Pwn and winning a prize of $25,000.

Khai thác lỗ hổng mạng công nghiệp, nhóm kỹ sư Việt đạt thành tích ấn tượng tại Pwn2Own - Ảnh 1.

ECQ successfully conquered two goals. Source: Trend Micro

Specifically, for the first target on February 14th, the Softing edgeConnector Siemens application belongs to the OPC UA server category. ECQ has exploited Null Pointer Dereference vulnerability to attack denial of service (denial-of-service). DOS vulnerabilities are important because ICS products emphasize system availability.

Coming to the second target the next day, the Triangle Microworks SCADA Data Gateway under the Data Gateway category, ECQ combined a chain of three vulnerabilities to complete a Remote Code Execution attack. The team succeeded in executing arbitrary code on the server where the application was installed.

Sharing about this year’s Pwn2Own competition, Mr. Nguyen Hai Dang – Director of ECQ Vietnam said: “Pwn2Own is a large and famous security competition worldwide. With the theme of industrial networking (ICS/SCADA) challenging. With knowledge, ECQ team had the opportunity to practice and gain more practical experience, I am very proud of the achievements you have achieved in the competition and am very honored to work with you. ”

Khai thác lỗ hổng mạng công nghiệp, nhóm kỹ sư Việt đạt thành tích ấn tượng tại Pwn2Own - Ảnh 2.

Final results Pwn2Own Miami 2023. Source: Trend Micro

It is known that this is not the first time ECQ has participated in a security competition in the field of industrial networks. In 2019, ECQ and SkillSpar participated in the “Cybersecurity Industry Call for Innovation” organized by the Cybersecurity Authority of Singapore (CSA) and successfully received a prize of 500,000 VND. SGD for the initiative APT Attack Simulation and Remediation (Automated Attack Simulation and Remediation) for ICS/SCADA.

About E-Cqurity Vietnam Co., Ltd (ECQ)

ECQ is a cybersecurity company that provides offensive security solutions and services with a focus on proactive attack and defense. Since its inception, ECQ has provided premium security consulting services to clients in a variety of industries, including the financial sector, critical infrastructure, service providers.

Website: https://e-cq.net

Share the news now

Source : Genk