Security News

A researcher has made public a proof-of-concept exploit for a recently discovered vulnerability affecting Chrome, Edge and other Chromium-based web browsers. On April 7, at the Pwn2Own 2021 hacking competition, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for a remote code execution exploit that works against web browsers that are based on Google's open source Chromium project.

An Indian security researcher has publicly published a proof-of-concept exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. Released by Rajvardhan Agarwal, the working exploit concerns a remote code execution vulnerability in the V8 JavaScript rendering engine that powers the web browsers.

Unpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called "Cring" inside corporate networks. "Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage," said Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT. The disclosure comes days after the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warned of advanced persistent threat actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.

Exploit acquisition company Zerodium announced last week that it's temporarily offering $300,000 for high-impact WordPress exploits. The company typically offers $100,000 for WordPress RCE exploits, the same amount as for Webmin, Plesk, and cPanel/WHM exploits.

Zerodium has announced today an increased interest in exploits for the WordPress content management system that achieve remote code execution. The exploit acquisition platform is now enticing exploit developers and sellers with a $300,000 payout, three times more than the regular price.

Pwn2Own 2021 ended with contestants earning a record $1,210,000 for exploits and exploits chains demoed over the course of three days. The total prize pool for Pwn2Own 2021 was over $1,500,000 in cash and included a Tesla Model 3.

The Pwn2Own 2021 hacking competition has come to an end, with participants earning more than $1.2 million - more than ever paid out at the event - for exploits in the browser, virtualization, server, local privilege escalation, and enterprise communications categories. The highest rewards were paid out to team Devcore for an Exchange server exploit, a researcher named OV for a Microsoft Teams exploit, and Daan Keuper and Thijs Alkemade from Computest for a zero-click Zoom exploit.

"In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted," Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. One of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system's SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.

Two researchers earned $200,000 on the second day of the Pwn2Own 2021 hacking competition for a Zoom exploit allowing remote code execution without user interaction. Also on the second day of Pwn2Own 2021, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for an exploit that works both on the Chrome and Microsoft Edge web browsers.

Q4 2020 also brought a 41% increase in encrypted malware detections over the previous quarter and network attacks hit their highest levels since 2018. "The attacks are coming on all fronts, as cybercriminals increasingly leverage fileless malware, cryptominers, encrypted attacks and more, and target users both at remote locations as well as corporate assets behind the traditional network perimeter. Effective security today means prioritising endpoint detection and response, network defences and foundational precautions such as security awareness training and strict patch management."