Vietnamese engineers win $25,000 prize in global cyberattack contest

By Phong Van   February 22, 2023 | 06:00 pm PT
Vietnam's ECQ team exploited two zero-day vulnerabilities in the industrial control system (ICS) and the monitoring and control data system (SCADA) to win US$25,000 in global cyberattack competition Pwn2Own.

In their first entry at Pwn2Own Miami 2023, ECQ's technical team of 12 members scored 25 points to rank second and win $25,000.

The first target on Feb. 14 was the Softing edgeConnector application Siemens in the OPC UA server category.

ECQ exploited the NULL pointer dereference vulnerability to attack denial of service (DoS).

DoS vulnerabilities are significant because ICS products promote system availability. These attacks are aimed at taking advantage of a software vulnerability, causing the application to crash or delay and make it unable to process requests.

On Feb. 15 their target was Triangle Microworks SCADA in the Data Gateway category. ECQ combined a chain of three vulnerabilities to complete a remote code execution attack. The team succeeded in executing an arbitrary code on the server where the application was installed.

The ECQ engineer group present the exam online. Photo by ECQ

The ECQ engineering group during the online contest. Photo by ECQ

Nguyen Hai Dang, director of ECQ Vietnam, said Pwn2Own is a significant and famous global security contest.

Pwn2Own is a global hacking competition held annually to find previously unknown security vulnerabilities.

Held in Miami this year, it focused on industrial networks in four categories: the OPC Unified Architecture server (OPC UA server), OPC UA client, data gateway (Data Gateway), and Edge system.

Pwn2Own Miami 2023 contest results. Photo by Trend Micro

Pwn2Own Miami 2023 contest results. Photo by Trend Micro

This is not ECQ's first foray into a security competition in the industrial network field.

In 2019 it and SkillSpar participated in the Cybersecurity Industry Call for Innovation organized by the Cyber Security Agency of Singapore and won a prize of up to SGD500,000 with its automated attack simulation and remediation initiative for ICS/SCADA.

ECQ is a cybersecurity company that provides offensive security solutions and services focusing on proactive attack and defense.

It develops premium security consulting services for clients in a number of industries like finance, critical infrastructure and services and to government agencies.

Find more information at the website.

go to top