Hackers earn $400,000 for zero-day ICS exploits

Hackers earn $400,000 for zero-day ICS exploits featured at Pwn2Own

Sergio Gatlan

Pwn2Own Miami 2022 terminated with competitors winning $400,000 for twenty six zero-day exploits (and various bug collisions) targeting ICS and SCADA merchandise showcased throughout the competition between Gregorian calendar month nineteen and Gregorian calendar month twenty one.

Security researchers have targeted multiple production classes: management Server, OPC Unified design (OPC UA), knowledge entranceway, and Human Machine Interface (HMI).

Trend Micro's Zero Day Initiative (ZDI) same nowadays, "Thank you once more to all or any the competitors WHO participated. we tend to could not run a contest while not them."

"Also because of the collaborating vendors for his or her cooperation and for providing bug fixes that were disclosed throughout the competition."

After vulnerabilities area unit rumored by Pwn2Own, vendors area unit given a hundred and twenty days to unharness patches till ZDI in public discloses them.

The winners are awarded $90,000

The winners of the Pwn2Own Miami 2022 event area unit Daan Keuper (@daankeuper) and Thijs Alkemade (xnyhps) from Computest Sector seven (@Sector7_nl).

During the primary day, they attained $20,000 once death penalty code on a SCADA inductive ignition management server answer employing a missing authentication vulnerability.

On identical day they used a vulnerability within the uncontrolled search path to get remote code execution (RCE) in AVEVA Edge HMI/SCADA computer code and received $20,000 for his or her efforts.

Limited Ring Condition to run a DoS case against associate Unified Automation C++ Demo Server and earn $5000.

Last however not least, on the second day of Pwn2Own Miami 2022, the team passed the OPC Foundation's OPC Foundation UA ​​.NET commonplace trusty application check and side $40,000 to their prize balance.

They won the title of Master of Pwn once earning a complete of $90,000 throughout the 3 days of the competition and taking 1st place on the leaderboard with a complete of ninety points.

Pwn2Own Miami 2022 (ZDI) Results

This year's Pwn2Own Miami befell at the S4 conference in Miami South Beach personally and additionally allowed remote participation.

During the primary unharness of ICS-themed Pwn2Own Miami, that was delayed in January 2020, ZDI awarded $280,000 for twenty-four distinctive zero-day vulnerabilities in ICS and SCADA merchandise.

You can see a recording of the Computest Sector seven team (@Sector7_nl) targeting the OPC Foundation OPC UA .NET commonplace below.

ZDI delineate their try as associate exploit "one of the foremost exciting bugs we've ever seen in Pwn2Own."