Pwn2Own is a competition organized by the Zero Day Initiative, where Pwn2Own participants earn points for each successful hack to compete for prizes and the title of overall winner. On the first day of the competition, the Synacktiv team from France, successfully executed a TOCTOU attack on Tesla Gateway. As a result, they won $100,000, 10 Master of Pwn points and a Tesla Model 3.

On the second day of the competition, the Synacktiv team again breached the Tesla, using heap overflows and OOB writes to exploit the infotainment system on the Tesla. The team won a Tier 2 award, $250,000 and 25 Master of Pwn points.

Tesla’s security response team was on hand to verify the hackers’ findings and expects to fix the vulnerabilities with an OTA update.

Synacktiv not only breached Tesla at the contest, but also Windows 11, for which they received $30,000. In the end, they took half of the total prize money, totaling $530,000 (currently about 3,641,000 RMB).

The post Pwn2Own Hacker Breaks Tesla Twice, Wins $350,000 and a Tesla Model 3 appeared first on TechGoing.

Speculation on Initial Access Methods for Vulnerability Exploits

As Palo Alto Networks mentioned in a featured blog post, system administrators will have to be on their toes as threat actors race to exploit vulnerabilities before they are patched.

To make matters worse, because vulnerability scanning does not require a high level of skill, lower-level attackers can easily sift through vulnerable endpoints on the Internet and sell valuable findings on the dark web market for profit.

"In CVE-2022-1388, for example, Unit 42 notes that this is a remote command execution vulnerability that severely affects F5 BIG-IP products and is unauthenticated.

The vulnerability was disclosed on May 4, 2022, but ten hours after the CVE bulletin was published, they had logged 2552 endpoint scans and exploit attempts."

Second, the report notes that “ProxyShell” was the most touched vulnerability chain in the first half of 2022 (specifically CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), accounting for 55 percent of the total exploit incidents.

Log4Shell followed with 14 percent, various SonicWall CVEs accounted for 7 percent, ProxyLogon for 5 percent, and a remote code execution (RCE) vulnerability in Zoho ManageEngine ADSelfService Plus for 3 percent.

Vulnerability Exploitation Ranking

Statistics show that flaws that are semi-old (as opposed to up-to-date) are most likely to be exploited by attackers. This happens for a number of reasons, including but not limited to the size of the attack surface, the complexity of the exploit, and the practical impact it can have.

With this in mind, Palo Alto Networks recommends that administrators deploy security updates as soon as possible to better prevent systems from becoming victims of vulnerability exploitation in the early stages of zero-day / CVE bulletin releases.

"In addition, Unit 42 reports that the method of exploiting software vulnerabilities for initial cyber disruption accounts for only about 1/3 of cases.

Phishing remains the preferred option for many attackers in 37 percent of cases. In another 15 percent of cases, hackers also use compromised credentials, or brute force cracking to break into networks.

And social engineering tricks against privileged employees, or bribing rogue insiders, also account for about 10% of all breach attack response incidents."

Given the considerable pressure already on systems/network/security management professionals, the report recommends that organizations keep devices as far away from the Internet as possible.

In addition to limiting access to servers through virtual private networks (or other secure gateways) to reduce risk, non-essential public ports and services must be blocked as much as possible.

Finally, it is better to get into the habit of diligently deploying security updates. Although the rapid deployment of critical updates will result in some time of business interruption, it is better than facing a situation that is difficult to remedy after a full-scale cyber attack.

The post Report warns hackers will try to scan and exploit vulnerabilities within 15 minutes of CVE bulletin disclosure appeared first on TechGoing.

The researchers who discovered the vulnerability used relevant equipment to recreate the scenario, and the vehicles alleged to have this security flaw include Honda Civic 2012, Honda X-RV 2018, Honda C-RV 2020, Honda Accord 2020/2021, Honda Odyssey 2020, Honda Insignia 2021, Honda Fit 2022, Honda Civic 2022, Honda VE-1 2022, Honda Haoying 2022.

In response to this matter, the relevant person in charge of Honda China responded, “We have paid attention to the reports and confirmed that the vulnerabilities identified in the reports can indeed be used to gain vehicle access by simulating remote keyless commands using sophisticated tools and technical means.”

“But even if technically feasible, this particular attack requires close proximity to the vehicle and captures the RF signal sent to the car by the wireless key several times in succession, and even if the door can be opened, the smart key cannot drive away the vehicle if it is not in the car.”

The person in charge also said, “When launching new products, Honda is also committed to regularly improving the security of the vehicle to prevent such or similar situations.”

The post Honda responds that some models can be remotely started by hackers: it can be done, but it can’t be driven appeared first on TechGoing.