Keanna Grelicha, Seif Harrasy, Marina Tovar, Lydia Baccino, Alison Ward, Paige Biebas, Gioia Torchia
Deepankar Patil, Editor; Claudia Santillan-Vazquez, Senior Editor
January 2, 2023
Zero-Day Kill Chain[1]
Geographical Area | Global
Countries/Enterprises Affected | Global
PWN2OWN, Zero Day Initiative’s (ZDI) annual hacking competition, included 26 teams and security researchers that targeted multiple vendors, like Canon, NETGEAR, and Samsung, from December 6 to 9 and exposed 63 zero-day vulnerabilities.[2] The contestants targeted mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers, winning $989,750 in prizes.[3] Security researchers exploited vulnerabilities in Samsung’s Galaxy S22 phone for three days of the competition, with the shortest exploit taking 55 seconds.[4] The targeted vendors have 120 days to release patches for these flaws before ZDI publicly releases the vulnerabilities.[5] Malicious hackers will likely target the networks of vendors whose vulnerabilities have been discovered at the hacking competition, and contestants will likely expose vulnerabilities unofficially. The public exposure of these flaws will very likely exacerbate the risk of malicious hackers rewriting code and corrupting data. The access of network data from these vulnerabilities will very likely allow malicious hackers to implement backdoors and further exploit the network by stealing data or holding it for ransom.
Security Risk Level
Areas of High Security Concern: The short timeframe required to execute an improper input validation attack on the Galaxy S22 very likely indicates that personal devices have limited measures to deter malicious input values. Unpatched zero-day exploits of Samsung and other mobile phones will very likely allow hackers to write malicious codes, likely harming users and the company’s reputation. Malicious hackers could very likely replicate the success of exploiting the Galaxy S22 and exploit similar personal devices of Samsung and other targeted companies, like Canon, NETGEAR, and HP. The release of the flaws will very likely allow malicious hackers to implement backdoors to steal data or hold data for ransom. Other companies similar to Samsung, like Apple, could very likely face similar cyberattacks through the input validation method, as malicious hackers will very likely try to replicate the success for data theft and financial gain.
Current Claims: vulnerability initiative, ZDI; photography company, Canon; technology company, HP; computer networking company, NETGEAR; imaging company, Lexmark; software developer, Western Digital; electronics company, Samsung; electronics company, Apple; security researchers; hackers; malicious hackers; banks; government agencies
Current Attack: Hackers participating in the PWN2OWN competition hacked Samsung Galaxy S22.[6] The hackers exploited zero-days found within the device’s software in 55 seconds through an improper input validation[7] attack.[8] The hackers also targeted other electronics and software companies like HP, Lexmark, and Western Digital through similar methods.[9]
Major Capital Industries: mobile telephone; information technology (IT)
Potential Industry Concerns: Mobile phone and IT companies, like Samsung, HP, NETGEAR, Lexmark, and Apple, will likely update their software application and hardware, likely increasing security spending. The ability for malicious hackers to execute input validation attacks will very likely lead the IT industry to develop additional security protocols for companies to include digital security parameters, like regional access limiters or network access controls with virtual private networks. There is a roughly even chance that users will question the effectiveness of companies to prevent and detect attacks, likely causing mistrust amongst the public. Hackers will very likely continue to enhance breaching tactics, likely increasing users' vulnerabilities to attacks, and causing companies to update their security more frequently. Inflation will likely result in companies' reluctance to hire new IT personnel, likely resulting in longer patch times and continued exposure to vulnerabilities. Hackers will likely use zero-day vulnerabilities to gain access to the personal or sensitive information of customers, employees, and technology companies. Customers and employees will very likely experience data theft, likely causing companies to experience revenue loss linked to customer and employee compensation.
Areas of Caution:
Political: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have increased their focus on combating zero-day attacks after vulnerabilities were exposed.[10] However, these efforts have not prevented cyberattacks on private sector phone and IT companies, many of which have contracts with governments and defense agencies.[11] PWN2OWN hackers exploiting Galaxy S22’s vulnerabilities in 55 seconds indicate the ineffectiveness of companies in executing government policies on zero-day vulnerabilities. Aside from Samsung, Microsoft and Google have also faced zero-day attacks this year that required US agencies to patch their systems to avoid further breaches.[12]
Economic: The threat of zero-day vulnerabilities makes banks and government agencies, like health departments, susceptible to direct cyberattacks. For example, in 2021, non-state hackers conducted a ransomware attack on a financial software service, Accellion file transfer application (FTA), impacting US banks’ data like Morgan Stanley and global financial institutions like the Reserve Bank of New Zealand, impacting customers’ financial accounts.[13] The ransomware attack on the Accellion FTA that allowed for data breaches ties back to an FTA zero-day vulnerability within the software.[14] The success of the ransomware attack demonstrated that zero-day flaws within the targeted systems are exploited to obtain data and network access. The threat of zero-day flaws from the ZDI competition indicates concern for hackers to use other methods of attack to further exploit the networks.
Cybersecurity: Improper input validation indicates that a system has faulty software that does not validate input, like strings, characters, or numbers, correctly to detect malicious embedded code.[15] Faulty software that does not verify data input could allow embedded syntax malware to establish command and control (C2) connections for threat actors to access networks through backdoors.[16] Limited software application security that allows malicious input could lead to injection attacks, where threat actors can enter the networks and access data.[17] 86% of developers do not prioritize application security when writing code to decrease the number of potential flaws like zero-days or improper input validation checks.[18] The concern of limited efforts in application development indicates potential threats to data security as hackers have a greater chance of initial entry to access data to encrypt or steal. The success of improper input validation as the method of attack in the PWN2OWN with these known limited efforts by software developers indicates increasing vulnerabilities for hackers to target when infiltrating networks to gain initial entry.
Predictive Analysis:
Who: Malicious hacking groups viewing the PWN2OWN itinerary and list of targets will very likely begin conducting espionage campaigns to exploit employees and device end-users of the targeted companies. Organizations that use the targeted vendor’s devices will very likely be on high alert, as they will likely have vulnerabilities. Organizations within the IT and mobile phone industries will likely implement security protocols to mitigate system vulnerabilities and remove malware so that their flaws are not exposed, which will likely limit the threat of future espionage campaigns. Samsung, HP, Canon, Lexmark, and Western Digital will very likely begin implementing patches to decrease the threat of malicious attacks, which will likely incentivize other IT companies, like Apple, to update their security as well. The threat of cyberattacks on additional companies, like those that provide resources to public sector entities, including hospitals and schools, will very likely spur political action, like additional CISA policies to prevent the destruction of critical data.
What: The ability to enter networks and hold data for ransom through the zero-days will very likely motivate malicious hacker groups to replicate the exploits with improper input validation tactics to obtain financial gains. The success of the hacking against Samsung will likely motivate malicious hacker groups to exploit other companies in the IT and mobile telephone industries using similar tactics. Access to company networks will very likely lead to data theft or ransom threats.
Why: The sophistication of the 55-second zero-day exploit on Samsung almost certainly presents a security threat for all organizations similar to Samsung, HP, and Western Digital, like Apple. The ability for the PWN2OWN hacker groups to persist for three days on Samsung products will very likely allow other hackers to stealthily access and gather data of these vulnerable IT and mobile phone companies. Any vulnerabilities will very likely lead to hackers targeting other organizations, like Apple, to seek higher profitable returns.
When: The release of unpatched zero-days will very likely present further hacker groups attacks in the following months. Malicious hackers’ ability to target known vendors will likely result in the disclosure of other vulnerabilities before ZDI’s official disclosure of flaws. Malicious hacking groups will very likely use the data to carry out future operations after the 120 days to further their exploits within targeted networks. These further exploits will very likely include data theft and ransoms to obtain financial gains by encrypting the data or selling it to other threat actors once stolen.
How: The malicious hackers will very likely use improper input validation attack tactics and develop more advanced tools to persist within networks while using backdoors to obtain lateral network access. The threat actors will likely develop tools with remote access trojans (RATs) and C2 operations to surf the exfiltrated networks to obtain server data. The RAT and C2 will very likely allow the hackers to automate their malware injections with improper input validation tactics to limit oversight for each targeted network and expand their range of targets.
The Counterterrorism Group (CTG) recommends enterprises and individuals deploy web application firewalls (WAFs) on the network edge to review incoming traffic and filter out the malicious activity that could target the network’s vulnerabilities. CTG recommends updating the systems and networks to the latest versions and deploying software patches as soon as the zero-day vulnerability is discovered to reduce the risk of a successful attack. CTG recommends organizations update their defense practices and network monitoring policies to detect and timely monitor malicious activity. The CTG works to detect, deter, and defeat terrorism and will continue to monitor the evolution of zero-day vulnerabilities and zero-day initiatives to report incidents in a timely manner. CTG’s Worldwide Analysis of Threats, Crimes, and Hazards (WATCH) Officers will monitor ongoing threats related to known and zero-day vulnerabilities that could likely lead to future incidents.
[1] “Zero Day Kill Chain” by Swissinventor licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
[2] Hackers earn $989,750 for 63 zero-days exploited at Pwn2Own Toronto, Bleeping Computer, December 2022, https://www.bleepingcomputer.com/news/security/hackers-earn-989-750-for-63-zero-days-exploited-at-pwn2own-toronto/
[3] Ibid
[4] Ibid
[5] Ibid
[6] Samsung Galaxy S22 hacked twice on first day of Pwn2Own Toronto, Bleeping Computer, December 2022, https://www.bleepingcomputer.com/news/security/samsung-galaxy-s22-hacked-twice-on-first-day-of-pwn2own-toronto/
[7] “Improper input validation attack targets the system’s software that has limited capabilities to determine malicious embedded code in the input data of a program.” CWE-20: Improper Input Validation, MITRE, 2022, https://cwe.mitre.org/data/definitions/20.html
[8] Samsung Galaxy S22 hacked in 55 seconds on Pwn2Own Day 3, Bleeping Computer, December 2022, https://www.bleepingcomputer.com/news/security/samsung-galaxy-s22-hacked-in-55-seconds-on-pwn2own-day-3/
[9] Hackers earn $989,750 for 63 zero-days exploited at Pwn2Own Toronto, Bleeping Computer, December 2022, https://www.bleepingcomputer.com/news/security/hackers-earn-989-750-for-63-zero-days-exploited-at-pwn2own-toronto
[10] CISA orders agencies to patch new Windows zero-day used in attacks, Bleeping Computer, July 2022, https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-new-windows-zero-day-used-in-attacks/
[11] U.S. govt employees exposed to mobile attacks from outdated Android, iOS, Bleeping Computer, November 2022, https://www.bleepingcomputer.com/news/security/us-govt-employees-exposed-to-mobile-attacks-from-outdated-android-ios/
[12] CISA orders agencies to patch exploited Google Chrome bug by Dec 26th, Bleeping Computer, December 2022, https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-exploited-google-chrome-bug-by-dec-26th/
[13] Timeline of Cyber Incidents Involving Financial Institutions, Bleeping Computer, July 2021, https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/
[14] Morgan Stanley targeted in Accellion hack, Carnegie Endowment for International Peace, 2022, https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline
[15] CWE-20: Improper Input Validation, MITRE, 2022, https://cwe.mitre.org/data/definitions/20.html
[16] Input validation errors: The root of all evil in web application security, Invicti, March 2022, https://www.invicti.com/blog/web-security/input-validation-errors-root-of-all-evil/
[17] Ibid
[18] 86% of developers don’t prioritize application security, Help Net Security, April 2022, https://www.helpnetsecurity.com/2022/04/07/developers-software-security/