Big brands targeted Pwn2own | cyberattack on Indian Space Agency ISRO
cyberattack on Indian Space Agency ISRO
cyberattack on Indian Space Agency ISRO

While Amazon, Xiaomi, Samsung, Sony and TP-Link were attacked for money by white hat hackers in an exciting Pwn2own contest, North Korean black hat hackers are suspected to have attacked Indian Space Research Organisation (ISRO) and affected India’s Chandrayaan-2 mission.

Let’s talk about ISRO first.

Why North Korea is after India

Recently North Korean Lazarus group had targeted India’s largest nuclear power plant with a critical malware and now in less than four weeks, it is being said that North Korean hackers had also launched a cyber attack on India’s space agency which could have led to the failed Chandrayaan-2 moon landing.

The news is that users at ISRO were targeted via phishing emails that dropped malware on their systems while the space agency has commented that none of their systems were affected. It is highly possible that that the same Lazarus group is behind this attack with one of the aims of gaining intelligence regarding Thorium based nuclear power for North Korea.

Who got hacked at Pwn2Own Tokyo 2019

Coming to the other news.
Pwn2own is a bi-annual hacking contest organised on an international scale that invites white hat hackers from all over the world to try their hands on certain devices in exchange for lucrative prizes. The competition is the best hacking event in the world and is supported by many technology giants as their devices get tested by some of the best hackers in the world.

Hackers pick their targets from a prepared list, that they think they can take down, and if successful, earn reward money and points. This year Facebook Portal, Google Home, Google Nest Hub, Apple watch and iPhone, among a few others were able to save themselves from being targeted.

Televisions and smart home devices exploited

  • Samsung Q60 was hacked to obtain a reverse shell using an integer overflow in Javascript.
  • Sony X800G’s web browser was hacked to obtain a bind shell using a Javascript bug.
  • Amazon Echo was attacked using an integer overflow vulnerability in Javascript and hackers were able to exercise complete control of the smart home device.

Routers exploited

  • NETGEAR Nighthawk Smart WiFi Router R6700 was found vulnerable to authentication bypass and buffer overflow attack. Hackers were able to modify its permanent software and obtain a shell. What’s more? The payload they dropped on the router did not vanish even after factor resetting the device!

 

  • TP-Link AC1750 Smart WiFi Router was successfully attacked taking advantage of bugs that allowed for command injection and enabled remote code execution.
    Another team hacked the same router to get remote code execution using a stack overflow and a logic bug.
    Uh…uh..it isn’t over. Yet another team was able to exploit the command injection vulnerability and get remote code execution through the WAN interface card that the router uses to transmit data.

Mobile Phones exploited

  • Xiaomi Mi9 was also successfully targeted by contestants using an attack called Cross Site Scripting (XSS). Apparently, an attacker could simply touch the NFC tag to exfiltrate data from the phone. Recently NFC feature was found to possess a fatal flaw that could pave a way for malware to enter the device.
    Not only that, a second team was also able to exfiltrate an image from the phone model using a Javascript vulnerability.
  • Samsung Galaxy S10 was found to be susceptible to attacks in Short Distance as well as Baseband category. Teams were able to perform a stack overflow and integer overflow attack with a Use-After-Free vulnerability. Hackers could even exploit a JavaScript bug to obtain data through NFC (Near Field Communication) feature.

Two-time reigning champions Richard Zhu and Amat Cama from Team Fluoroacetate bagged their title once again this year with 18.5 points and $195,000.

champions Richard Zhu and Amat Cama
Master of Pwn winners Richard Zhu and Amat Cama of Team Fluoroacetate

Overall, over $315,000 was distributed as prize money to various teams who successfully addressed bugs in devices. The bug reports were send to companies who will be working on fixes to strengthen the security of their machines.

We suggest that if you own any of these devices, you should keep an eye out for security updates and install them as soon as they are rolled out. Comment your thoughts and views below and share this mysterious dual hacking news with your circle.

Stay tuned, stay safe.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

©2020 Tech Brewery. All Rights Reserved. Website By Amagraphs.

Log in with your credentials

or    

Forgot your details?

Create Account