Search This Blog

Showing posts with label Pwn2Own 2021. Show all posts

Zoom Security Flaw: Now Hackers Can Take Control Of Your PC, Wait For Patch

 


Zoom security issues were lately troubling users worldwide, very often so. The Zoom video conferencing app was not in the limelight before the ongoing pandemic, however, since the inception of Covid-19, a lot has changed along with the ways of living, this was also the time when Zoom App underwent some regulatory security measures, owing to the suddenly enhanced reputation enjoyed by the app, as the work from home was necessitated by the pandemic. 

However, as of now, it is being observed that the security measures that had been taken a year ago are failing to secure users' data from threat actors.

Cybercriminals exploited a vulnerability and undertook a distant code execution (RCE) assault to take management of host PCs. The two Computest cyber safety intelligence observed the vulnerability on the Pwn2Own 2021 competition, organized by the Zero Day Initiative. The two Computest researchers Daan Keuter and Thijs Alkemade were awarded $200,000 for their findings. 

How does This work? 


Foremostly, the hacker has to be a part of the same organizational domain as the host PC’s user has to get permission from the host to join the meeting; When the attackers become part of a meeting, they will be able to execute a chain of three malware that will install an RCE backdoor on the victim’s PC. 

It can also be understood as — the threat actors can get access to your PC, and simultaneously will able to be able to implement remote commands that will then give access to your sensitive data.

Besides, what is even dangerous here is that the hackers can run their operations without the victim being required to do anything, therefore it is very essential to add more layers of security measures that can slow down the future operations of the attackers. 

The aforementioned operation runs on Mac, Windows, but on Zoom’s iOS and Android apps, it has not been checked yet. Notably, the browser version is safe. 

Currently, Zoom is yet to take measures, and the technical details of the attack have not been reported to the public, yet. Reportedly, the patch will arrive on Zoom for Mac and Windows within the next 90 days. 

Pwn2Own 2021 Will Also Cover Zoom, MS Teams Exploits

 

Trend Micro's Zero Day Initiative (ZDI) on Tuesday announced the targets, prizes, and rules for the Pwn2Own Vancouver 2021 hacking competition. Pwn2Own Vancouver ordinarily happens during the CanSecWest conference in Vancouver, Canada, but because of the Covid pandemic, the current year's occasion will be hybrid — members can present their exploits remotely and ZDI staff in Toronto (Canada) and Austin (Texas) will run the exploits. The attempts will be live-streamed on YouTube and Twitch.

The prize pool for Pwn2Own 2021 surpasses $1.5 million in cash and other prizes, including a Tesla Model 3. The vehicle is being offered to individuals who take an interest in the automotive category. In this category, in addition to the vehicle, hackers can procure up to $600,000 for hacking a Tesla. There are three difficulty levels in this category and the Model 3 is being offered in every one of them. 

ZDI has likewise declared another category for the forthcoming occasion. As a feature of the new enterprise communications category, participants can acquire up to $200,000 for demonstrating exploits against Zoom or Microsoft Teams. “As the workforce moves out of the office and goes remote, the tools needed to support that change become greater targets. That’s one reason we added this new category and teamed up with Zoom to have them in the contest. Microsoft Teams will also be a target. A successful demonstration of an exploit in either of these products will earn the contestant $200,000 – quite the payout for a new category,” reads the announcement published by ZDI. “A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio call, video conference, or message,” ZDI said. 

Different categories incorporate virtualization, with a top prize of $250,000 for Microsoft Hyper-V client exploits, an internet browser category, with a top prize of $150,000 for Chrome and Edge exploits, an enterprise application category, with the greatest prize of $100,000 for Microsoft 365 exploits, a server category, with up to $200,000 offered for Microsoft Exchange and Windows RDP exploits, and a local privilege escalation category, with $40,000 being the top prize for Windows 10 exploits.