#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Pwn2own | Breaking Cybersecurity News | The Hacker News

Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability

Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability

Jan 12, 2024 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The issue, tracked as  CVE-2023-29357  (CVSS score: 9.8), is a privilege escalation flaw that could be exploited by an attacker to gain administrator privileges. Microsoft  released patches  for the bug as part of its June 2023 Patch Tuesday updates. "An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Redmond said. "The attacker needs no privileges nor does the user need to perform any action." Security researcher Nguyễn Tiến Giang (Jang) of StarLabs SG  demonstrated an exploit  for the flaw at the Pwn2Own Vancouver hacking contest last year, earning a $100,000 prize. The  pr
Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers

Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers

May 30, 2023 Zero Day / Vulnerability
Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI)  said  in a report published last week. The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in monetary rewards. The list of four flaws, which impact Sonos One Speaker 70.3-35220, is below - CVE-2023-27352  and  CVE-2023-27355  (CVSS scores: 8.8)  - Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on affected installations. CVE-2023-27353  and  CVE-2023-27354  (CVSS score: 6.5)  - Unauthenticated flaws that allow network-adjacent attackers to disclose sensitive information on affected installations. While CVE-2023-27352 stems from when processing SMB directory query commands, CVE-2023-27355 exists within the MPEG-TS pars
How to Achieve the Best Risk-Based Alerting (Bye-Bye SIEM)

How to Achieve the Best Risk-Based Alerting (Bye-Bye SIEM)

Feb 19, 2024Network Detection and Response
Did you know that Network Detection and Response (NDR) has become the most effective technology to detect cyber threats? In contrast to SIEM, NDR offers adaptive cybersecurity with reduced false alerts and efficient threat response. Are you aware of  Network Detection and Response (NDR)  and how it's become the most effective technology to detect cyber threats?  NDR massively upgrades your security through risk-based alerting, prioritizing alerts based on the potential risk to your organization's systems and data. How? Well, NDR's real-time analysis, machine learning, and threat intelligence provide immediate detection, reducing alert fatigue and enabling better decision-making. In contrast to SIEM, NDR offers adaptive cybersecurity with reduced false positives and efficient threat response. Why Use Risk-Based Alerting? Risk-based alerting is an approach where security alerts and responses are prioritized based on the level of risk they pose to an organization's system
Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021

Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021

Apr 12, 2021
The 2021 spring edition of  Pwn2Own  hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade. A total of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day virtual event organized by the Zero Day Initiative (ZDI). Targets with successful attempts included Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop operating systems. Some of the major highlights are as follows — Using an authentication bypass and a local privilege escalation to completely take over a Microsoft Exchange server, for which the Devcore team netted $200,000 Chaining a pair of bugs to achieve code execution in Microsoft Teams, earning researcher OV $200,000 A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system. ($200,000) The exploitation
cyber security

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.
Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Mar 22, 2015
The Annual Pwn2Own Hacking Competition  2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. During the second and final day of this year's hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers. Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive: 5 bugs in the Windows operating system 4 bugs in Internet Explorer 11 3 bugs in Mozilla Firefox 3 bugs in Adobe Reader 3 bugs in Adobe Flash 2 bugs in Apple Safari 1 bug in Google Chrome $557,500 USD bounty paid out to researchers The star of the show was South Korean secur
Exploit-Selling Firm Kept Internet Explorer Zero-Day Vulnerability Hidden for 3 Years

Exploit-Selling Firm Kept Internet Explorer Zero-Day Vulnerability Hidden for 3 Years

Jul 24, 2014
A French information security company VUPEN has recently disclosed that it held onto a serious Internet Explorer (IE) vulnerability for at least three years before revealing it at the Pwn2Own hacker competition held in March this year. The critical zero-day vulnerability affected versions 8, 9, 10 and 11 of Internet Explorer browser that allowed attackers to remotely bypass the IE Protected Mode sandbox. An attacker can exploit this issue to gain elevated privileges. VULNERABILITY DISCLOSURE TIMELINE According to a disclosure made by the security company last week, the vulnerability with ID  CVE-2014-2777  was discovered by the company on 12 February 2011, which was  patched by Microsoft  last month. 12 February 2011 - IE Zero-day discovered by Vupen. 13 March 2014 - Vupen reported to Microsoft. 11 June 2014 - Microsoft Released patch and publicly released the advisory . Sandbox is security mechanism used to run an application in a restricted environment. If an attacker is ab
The Keen Team - Chinese Hacker Group Reveals their Identities

The Keen Team - Chinese Hacker Group Reveals their Identities

Apr 17, 2014
The Keen Team – a mysterious group of Chinese hackers who hacked Apple's Safari Mac OS X Mavericks system in just 20 seconds and Windows 8.1. Adobe Flash in only 15 seconds during Pwn2Own Hacking Competition this year, are no more mysterious as the team revealed its members identity. In an interview with a Chinese newspaper on this 13 April, the key member of the Keen team and co-founder as well as chief operating officer of the team's Shanghai-based parent company, Lv Yiping said half of his team members are the top scoring students in the national college entrance examination, half of them are majored in mathematics, and half are from Microsoft. He also added that the team's eight core members are the top hackers in the country. The Kean team is the first Chinese hackers group to have won the prestigious title at the world hacking contest held in Vancouver this year in March. Back in 2013, they also took part in the Mobile Pwn2Own contest held in Tokyo and succe
Update Your Safari Browser to Patch Two Dozen of Critical Vulnerabilities

Update Your Safari Browser to Patch Two Dozen of Critical Vulnerabilities

Apr 03, 2014
So, is your Safari Web Browser Updated?? Make sure you have the latest web browser updated for your Apple Macintosh systems, as Apple released Safari 6.1.3 and Safari 7.0.3 with new security updates. These Security updates addresses multiple vulnerabilities in its Safari web browser, which has always been the standard browser for Mac users. This times not five or ten, in fact about two dozen. Apple issued a security update to patch a total of 27 vulnerabilities in Safari web browser, including the one which was highlighted at Pwn2Own 2014 hacking competition. The available updates replace the browser running OSX 10.7 and 10.8 with the latest versions of browser 6.1.3, and OSX 10.9 with 7.0.3. Among the 27 vulnerabilities, the most remarkable vulnerability addressed in the update is CVE-2014-1303 , a heap-based buffer overflow that can be remotely exploited and could lead to bypass a sandbox protection mechanism via unspecified vector. This vulnerability is
Samsung Galaxy S4 and iPhone 5 zero-day exploits revealed at Pwn2Own 2013 Contest

Samsung Galaxy S4 and iPhone 5 zero-day exploits revealed at Pwn2Own 2013 Contest

Nov 14, 2013
At Information Security Conference PacSec 2013 in Tokyo, Apple's Safari browser for the iPhone 5 and the Samsung Galaxy S4 have been exploited by two teams of Japanese and Chinese white hat hackers. In HP's Pwn2Own 2013 contest , Japanese squad Team MBSD, of Mitsui Bussan Secure Directions won won $40,000 reward for zero day exploit for hacking Samsung Galaxy S4. The vulnerabilities allow the attacker to wholly compromise the device in several ways, such as using a drive-by download to install malware on the phone. In order for the exploit to be successful, the group lured a user to a malicious website, gained system-level privileges and installed applications that allowed the team to gather information, including SMS messages, contacts and browsing history. They  Another Hackers Team from Keen Cloud Tech in China showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials and a photo from a device running iOS 6.1.4. They wo
It's Patch Tuesday, Microsoft rolling out Critical security updates

It's Patch Tuesday, Microsoft rolling out Critical security updates

Mar 11, 2013
It's Microsoft Patch Tuesday, and time of the month in which we gather round, hold hands, and see just how much of Microsoft's software needs patching. Prepare your systems, Microsoft is expected to issue seven bulletins affecting all versions of its Windows operating system (OS), some Office components and also Mac OS X, through Silverlight and Office and 4 out of 7 are critical patches. Critical :  The first bulletin will address a remote code execution vulnerability affecting Windows and Internet Explorer. Critical : The second bulletin addresses a remote code execution vulnerability affecting Microsoft Silverlight. Critical :  The third bulletin addresses a remote code execution vulnerability affecting Office. The fourth security bulletin addresses a critical elevation of privilege vulnerability affecting both the Office and Server suites. Important : The fifth and sixth security bulletins address an information disclosure vulnerability affecting Microsoft Off
Chrome, Firefox, Java, IE10 exploited at Pwn2Own competition

Chrome, Firefox, Java, IE10 exploited at Pwn2Own competition

Mar 07, 2013
During the first day of Pwn2Own competition at the CanSecWest conference in Vancouver , latest versions of all major browsers were exploited by hackers.  Chrome, Firefox and Internet Explorer 10 on Windows 8 were successfully pwned by various competitors, bringing them tens of thousands of dollars in prizes.  French vulnerability research and bug selling firm ' Vupen ' brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws. Researchers Jon Butler and Nils from MWR Labs managed to exploit Google Chrome on Windows 7 and also used a kernel bug to bypass the sandbox. " By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privi
‘Pinkie Pie’ discovered second Chrome exploit worth $60k at Pwnium 2

'Pinkie Pie' discovered second Chrome exploit worth $60k at Pwnium 2

Oct 10, 2012
Hacker known as " Pinkie Pie " produced the first Chrome vulnerability at the Hack In the Box conference on Wednesday, just ahead of the deadline for the competition this afternoon. The exploit, if later confirmed by Google's US headquarters, will have earned the teenage hacker known as Pinkie Pie the top US$60,000 cash reward. In March, Pinkie Pie and Sergey Glazunov both won $60,000 for their exploits at the first Pwnium competition. Google established the Pwnium competition as an alternative to the Pwn2own contest in order to add the requirement that participants provide details of their exploit. Google will give away up to a total of US$2 million during the event. $60,000 - "Full Chrome exploit": Chrome / Win7 local OS user account persistence using only bugs in Chrome itself. $40,000 - "Partial Chrome exploit": Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows
Cybersecurity Resources