Toronto Pwn2Own contest awards close to $1 million in prizes, and more.
Welcome to Cyber Security Today. It’s Friday, December 9th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The Toronto edition of the Pwn2Own hacking contest ends today. As of the recording of this podcast on Thursday afternoon, individuals and teams had won almost US$800,000 in cash prizes, with the expectation that more than US$1 million might be awarded by the time the event ends.
UPDATE: The total had risen to US$934,750 by the end of Thursday.
Organized by Trend Micro, 26 entrants from as far away as South Korea participated. They are trying to show zero-day exploits against home and small office printers, routers and a smartphone. One of the biggest prizes, US$60,000, went to a team that used two bugs against a wireless speaker. Another team earned US$37,500 for using a unique bug to crack a printer connected to a router. Hardware and software manufacturers learn where vulnerabilities are in their products from hacking contests like this. The next Pwn2Own contest will be held in Miami in February.
In October I told you about a cyber attack on a U.S. hospital chain called CommonSpirit. This was a ransomware attack. The company has now said the personal data of over 623,000 persons was copied by the attackers including names, dates of birth, addresses and phone numbers.
Attention IT administrators: If you haven’t yet moved off Internet Explorer heed this warning from Google: North Korean-based hackers are still exploiting this browser’s holes. The latest example was a zero-day vulnerability found in the browser and launched against Windows systems by hiding in a Microsoft Office document. It was used to target people in South Korea. The lure was an old tactic, claiming the attached document had news about a local tragedy. The attackers hoped victims would be interested and turn off a document warning.
Microsoft 365 has email security features, but sometimes they can be defeated by cunning attackers. This week researchers at Armorblox outlined an example. The lure was a message with the subject line ‘Please find invoice attached.’ That, of course, would tempt some employees to open the attachment. It had a message that looked like it came from Microsoft saying the user was being taken to their organization’s login page. Behind the scenes, though, malware was being installed on their computer. Employees need to be warned about opening attachments, especially ones that start: ‘Dear Sir or Madam.’
Finally, web application firewalls from five major manufacturers including Palo Alto Networks, Amazon Web Services, Cloudflare, F5 and Imperva had a generic vulnerability that could have allowed an attacker to bypass traffic scanning. That’s according to researchers at Claroty, who developed an attack technique against the firewalls’ SQL database. Briefly, while modern SQL databases support the JSON file and data exchange format, the databases in many web application firewalls don’t. So using JSON syntax the older databases can be fooled. While the five manufacturers have plugged this hole, the worry is products from other companies may be at risk. IT administrators and product manufacturers should made sure they’re running modern versions of security tools.
That’s it for now. But later today the Week in Review edition will be available. Guest Terry Cutler of Montreal’s Cyology Labs will join me to discuss the hack at Amnesty International Canada, the ransomware attack on Rackspace and how attackers are trying to compromise multifactor authentication.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.