Security Affairs
US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Pwn2Own Vancouver 2023 Day 2: Microsoft Teams, Oracle VirtualBox, and Tesla hacked

On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities. On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities, bringing the total awarded to $850,000! The bug hunters demonstrated zero-day attacks against the Oracle VirtualBox virtualization platform, Microsoft Teams, Tesla […]

Pwn2Own Vancouver 2023

On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities.

On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities, bringing the total awarded to $850,000!

The bug hunters demonstrated zero-day attacks against the Oracle VirtualBox virtualization platform, Microsoft Teams, Tesla Model 3, and the Ubuntu Desktop OS.

The day began with the success/collision achieved by Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) from Synacktiv (@Synacktiv) demonstrating a 3-bug chain against Oracle VirtualBox with a Host EoP. The success was classified as a “collision” because one of the bugs exploited in the attack was previously known. The due earned $80,000 and 8 Master of Pwn points.

The researchers @hoangnx99@rskvp93, and @_q5ca from Team Viettel (@vcslab) chained 2 vulnerabilities to hack Microsoft Teams. They earn $75,000 and 8 Master of Pwn points.

Of course, the most interesting attack was conducted by David Berard (@_p0ly_) and Vincent Dehors (@vdehors) from Synacktiv (@Synacktiv) who exploited a heap overflow and an OOB write to hack Tesla – Infotainment Unconfined Root. They qualify for a Tier 2 award, earning $250,000 and 25 Master of Pwn points. The team also won the Tesla Model 3 they have hacked.

Pwn2Own Vancouver 2023

The researcher dungdm (@_piers2) of Team Viettel (@vcslab) exploited an uninitialized variable and a UAF bug to hack Oracle VirtualBox. He earned $40,000 and 4 Master of Pwn points.

Tanguy Dubroca (@SidewayRE) from Synacktiv was awarded $30,000 for demonstrating the exploitation of an incorrect pointer scaling zero-day leading to privilege escalation on Ubuntu Desktop. They earn $30,000 and 3 Master of Pwn points.

“That wraps up Day 2 of Pwn2Own Vancouver 2023! We awarded $475,000 for 10 unique zero-days during the second day of the contest. We’ll continue posting results and videos to Twitter, YouTube, Mastodon, LinkedIn, and Instagram, so follow us on your favorite flavor of social media for the latest news from the event.” concludes the post published ZDI.

On the first day of Pwn2Own Vancouver 2023, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day flaws.

The Pwn2Own Vancouver 2023 continues … stay tuned!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2023)