![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Highlights of the 2022 Pwnie Awards
Since 2007, the Pwnies have celebrated the good, the bad, and the wacky in cybersecurity. Enjoy some of the best moments of this year's ceremony.
September 16, 2022
![Sophia d'Antoine, a woman in a green dress, and Ian Roos, a man in a yellow bucket hat, at a Black Hat USA 2022 podium Sophia d'Antoine, a woman in a green dress, and Ian Roos, a man in a yellow bucket hat, at a Black Hat USA 2022 podium](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blta5d6f559329ddc7f/64f15fdb40b8ac6a1582d7a7/pwnies-sophia-ian-Karen_Spiegelman.jpg?width=700&auto=webp&quality=80&disable=upscale)
Sophia d'Antoine and Ian RoosSource: Karen Spiegelman via Dark Reading
It's been a month since the 2022 Pwnie Awards brought a serving of zazz to Black Hat USA. Now in its 15th year, the Pwnie Awards definitely acts its age. Like many a teenager, the show was antic, careening between silly bits, snarky jokes, and devastating critiques.
The main hosts for the evening were Sophia d'Antoine and Ian Roos, respectively founder and researcher at Margin Research. D'Antoine played it straight in a classic green dress and long white graphic jacket, dropping acid comments and bons mots. Roos was the Costello to her Abbott, decked out in the sartorial equivalent of the impulse-buy rack at a corner liquor store and occasionally drinking beer from a can.
Red Balloon Security founder and CEO Ang Cui, who crafted the statuettes, split the difference in a tuxedo with a reversible sassy-to-classy jacket. The trio was joined by other hosts including Supriya Mazumdar, who shared a series of jokes relating to the Tesla RCE bug, such as saying that executing the exploit was like "shooting fish in Elon Musk's barrel chest."
Here is a roundup of the greatest highs, lowest lows, and most interesting twists and sparks in the world of cybersecurity.
"Awarded to the researchers who exploited the most sophisticated and interesting Mobile hack of the year! What do we mean by mobile? Does it fit in your pocket? Can I fit it in my pocket? Can I run away with it? Did I steal your phone?"(@PwnieAwards)
The "winner" was the NSO Group, maker of the software Pegasus, which the company considers an intelligence tool but which others call spyware. Researchers at Canada's The Citizen Lab found an iMessage exploit on a Saudi activist's phone and looked further.
"The exploit, which we call FORCEDENTRY, targets Apple's image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices. We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware," they wrote in a blog post.
Apple patched the exploit, labeled CVE-2021-30860, in September 2021.
The other pair of finalists presented their discoveries at the conference. Alon Shakevsky, Eyal Ronen, and Avishai Wool of Tel Aviv University dug into IV reuse, downgrade, and working key extraction attacks on Samsung devices, and Damiano Melotti and Maxime Rossi from Quarkslab discussed how they used a black-box fuzzer and emulation techniques to find and demonstrate a vulnerability on Google's Pixel 3 phone.
"Awarded each year to the researchers who discovered or exploited the most technically sophisticated and interesting desktop exploit." (@PwnieAwards)
A team of researchers from Italy, Austria, and Germany — Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, and Michael Schwarz — took home the Pwnie for their work on CPU vulnerabilities they uncovered in Sunny Cove-based Intel chips.
"We discover ÆPIC Leak, the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel," the team wrote for their paper "ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture," which they presented at the 31st USENIX Security Symposium in Boston. They were so excited about being nominated that not only did they tweet out the complete list of Pwnie nominees back in July, but they actually showed up to collect the award in person.
The two runners-up were a pair of pseudonymous programmers (pspaul and swapgs) who worked out a way to attack developer tools using Git integrations and a team from Qualys that found a vulnerability in the Linux snap-confine function, which they named Oh Snap! More Lemmings.
"Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting RCE Bug." (@PwnieAwards)
It seemed as if everyone was rooting for the Tesla RCE, which the Synacktiv group presented at this year's PWN2OWN conference. David Berard and Vincent Dehors exploited two zero-day vulnerabilities and a sandbox escape to take over the infotainment system of a Tesla Model 3.
Instead, the winner was Kunlun Labs for exploiting the Windows RPC Runtime RCE (CVE-2022-26809).
"The vulnerability could allow a remote attacker to executed code at high privileges on an affected system," the Zero Day Initiative wrote about it back in April. "Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached."
The other finalist was a Microsoft RCE flaw discovered by researchers Yuhao Weng, Zhiniang Peng, and Feng Dong.
"The Exchange Server flaw results from improper validation of cmdlet — a command that is often used in PowerShell environments," Dark Reading reported in November 2021.
"Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability." (PwnieNoms.live)
The winner was Mystique in the House, aka CVE-2021-0691. A vulnerability in the Android Application Sandbox allows an attacker to manipulate apps from userspace in Android 11. Dawn Security Lab presented a paper at CanSecWest2022. The name "Mystique" is a node to the shape-shifting antagonist in Marvel's X-Men because the malicious app can also take on other forms.
The uniqueness of Mystique probably gave it the edge over SpoolFool, which provided a clever way to build up privileges from creating a printer to gaining an admin role. The only issue is that the Windows Print Spooler it's based on is notoriously vulnerable to exploits, so it doesn't have the same air of mystery.
"What kind of awards ceremony does not have an award for best song? What can we say, security researchers, engineers, and the entire community can be considered a 'multi-talented' group of people." (PwnieNoms.live)
The winner, Project Mammoth, included a .ctf file along with the winning song, an industrial bash called "Dialed Up." The file contained puzzles for listeners to solve.
One finalist was "Side Channels Are Everywhere," a song that teaches listeners about side channel exploits by A Few Mistakes Ago, a project out of Graz University of Technology. The bouncy, poppy theme song was for a Web sitcom about a group of roommates who want to "become famous by finding new side channels."
The other finalist was "Fare" by Utku Şen, a Berlin-based security engineer and musician. Şen's video for the ambient trance instrumental piece highlighted the risks of QR codes.
"A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can't require a data center in Utah to exploit." (PwnieNoms.live)
The winner was Hertzbleed, a notorious side-channel attack that reads variations in CPU power use to infer sensitive information. Like the winners of Best Desktop Bug, this research team — Yingchen Wang and Hovav Shacham of University of Texas at Austin; Riccardo Paccagnella, Elizabeth Tang He, and Christopher Fletcher of University of Illinois Urbana-Champaign; and David Kohlbrenner of University of Washington — also presented their findings at the USENIX conference in Boston.
Guest presenter Hammond Pearce, an assistant professor at New York University's Tandon School of Engineering, made what could be a very dry category into maybe the best segment of the show with a series of cryptography jokes. Example: "Two cryptographers walk into a bar, and that's the end of the joke because nobody can understand what they're saying."
"Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post." (PwnieNoms.live)
The enthusiastic winners of the Best Desktop Bug Pwnie, Pietro Borrello and his colleague Martin Schwartzl, won in this category with their work looking inside the microarchitecture of proprietary Intel chips.
"We develop a Ghidra decompiler for Atom Microcode and reverse-engineer how the CPU internally uses its control register bus to manage its resources," the pair promised in their Black Hat abstract.
Two of the finalists relate to fuzzing, an automated software testing technique that injects random or unexpected data to see how a system handles it. FirmWire — from researchers from the University of Florida, Vrije Universiteit Amsterdam, TU Berlin, and Ruhr-Universität Bochum — analyzes firmware for Samsung and MediaTek devices. And the V-Shuttle framework, from a group from Zhejiang University and Ant Group, applies fuzzing to hypervisors, a challenging prospect because of their nested data structures.
"Awarded to the vendor who mis-handled a security vulnerability most spectacularly." (PwnieNoms.live)
The first nominee was HCL Technologies for the pace of its response to a vulnerability report. Shubham Shah, co-founder and CTO of Assetnote, discovered a server-side request forgery (SSRF) vuln in HCL Digital Experience, formerly IBM WebSphere Portal. He contacted HCL Technologies on Sept. 5, 2021, to let the company know, but HCL ran out the clock on the 90-day disclosure policy by Dec. 5. After another three weeks, Shah published his advisory on what became CVE-2021-27748.
That foot-dragging wasn't great, but HCL seemed a little more responsive than Heroku was in the wake of a GitHub hack. The "Heroku silence," as the Pwnie Awards dubbed it, came after an attacker stole a bunch of Heroku customers' OAuth tokens for GitHub accounts. When GitHub alerted the Salesforce subsidiary on April 13, Heroku severed its GitHub integration, to the bafflement of many developers. It took over a month to re-enable the integration.
The fallout from this incident and the slow and tight-lipped response seems to linger, as Heroku announced an end to free accounts.
But the "winner" was the Google Threat Analysis Group. TAG is tasked with counteracting government-backed attacks, an important mission the group does constantly with distinction. However, one "watering hole" attack it discovered and stopped back in October 2020 turned out to be a Western government conducting an anti-terrorism campaign.
Ethical arguments can be made on both sides of that decision, but it's clear which side the Pwnie voters favored: "Charging face first into the world of 'Different Ethical Questions' $Goog stumbled across 11 zero days targeting terrorists and nuked them from orbit! The 0days that is; sure would suck if that IED phone stopped working."
"This award will honor a person or corporate entity’s a person or corporate entity's spectacularly epic fail — the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment — or a smoldering trail of whale-scale fail." (PwnieNoms.live)
Microsoft is always a fat target, and one arrow that found its mark this year was Follina, a zero-day remote code execution flaw in Microsoft Support Diagnostic Tool (MSDT) affecting essentially all Windows versions.
What made CVE-2022-30190 stand out, however, was the company's lackluster initial response. Shadow Chaser Group researcher "crazyman" reported the bug to Microsoft in April, but the software giant didn't label it a zero-day threat until May 30, after another researcher reported seeing a Word document running the exploit in the wild. Microsoft issued a patch on June 14, but bad actors are still using Follina to wedge into systems, including a Russia-based group that broke into Ukrainian computers.
The HiKam fail was a spectacular example of cybersecurity shortcomings in the Internet of Things universe, including the ability to take over the camera via the Web interface and device spoofing.
But the winner was HackerOne, which d'Antoine described as "profiteering middlemen" even before considering the crooked employee who was caught siphoning vulnerability reports and submitting them for the bug bounties.
"Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can't be scanned for, but are still amazingly cool and high impact?" (PwnieNoms.live)
The winner was a nifty paper in which Yannay Livneh explained how to use certain Internet-connected machines to send spoofed identity packets using an ancient IP technique.
"It's dead simple, just encapsulate another IP in an IP packet and send it," Livneh wrote in the February 2022 issue of the International Journal of Proof-of-Concept or GTFO.
One of the finalists was a vulnerability discovered in Intel BIOS by Alexander Tereshkin, Alexander Matrosov, and Adam "pi3" Zabrocki of Nvidia's Product Security Team. Officially called INTEL-SA-00525 or CVE-2021-0144, the flaw involves an insecure default variable initialization for the Intel BIOS Shared SW Architecture (BSSA) Design for Test (DFT) feature that can allow a privileged user to escalate privilege via local access. Essentially, Intel implemented a dummy function for testing purposes that always returns "true" when it should always return "false" instead.
The other finalist was a pair of years-old vulnerabilities in the PHP Extension and Application Repository (PEAR). The researchers said the developers are likely to run the tool with the vulnerabilities "on their computers before deploying it on production servers, creating an opportunity for attackers to pivot into companies' internal networks."
"Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn't possibly have predicted it by creating an award category that did it justice." (PwnieNoms.live)
The winner was Yuki Chen, a perennially productive bug bounty hunter, "for his bottomless pit of 50+ Windows Server-Side RCE Bugs this year alone." The Pwnie Award wasn't his only recognition in 2022 — he topped the Windows leaderboard at the Microsoft Security Response Center for the third time.
"Epic" doesn't always have a positive connotation, as shown by the fact that the Russian Federation was nominated. On the eve of the invasion of Ukraine, someone "flashed firmware on Viasat modems to brick them," as the Pwnie Twitter account put it. The symbiosis of traditional warfare and cyber warfare really peaked in this conflict.
On a less physically dangerous level, Qualys earned a nomination for discovering a 9-year-old local privilege escalation (CVE-2021-4034) in polkit's pkexec, which the IT security and compliance company notes is a default component of every major Linux distribution.
"This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration," the company wrote.
"Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn't possibly have predicted it by creating an award category that did it justice." (PwnieNoms.live)
The winner was Yuki Chen, a perennially productive bug bounty hunter, "for his bottomless pit of 50+ Windows Server-Side RCE Bugs this year alone." The Pwnie Award wasn't his only recognition in 2022 — he topped the Windows leaderboard at the Microsoft Security Response Center for the third time.
"Epic" doesn't always have a positive connotation, as shown by the fact that the Russian Federation was nominated. On the eve of the invasion of Ukraine, someone "flashed firmware on Viasat modems to brick them," as the Pwnie Twitter account put it. The symbiosis of traditional warfare and cyber warfare really peaked in this conflict.
On a less physically dangerous level, Qualys earned a nomination for discovering a 9-year-old local privilege escalation (CVE-2021-4034) in polkit's pkexec, which the IT security and compliance company notes is a default component of every major Linux distribution.
"This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration," the company wrote.
It's been a month since the 2022 Pwnie Awards brought a serving of zazz to Black Hat USA. Now in its 15th year, the Pwnie Awards definitely acts its age. Like many a teenager, the show was antic, careening between silly bits, snarky jokes, and devastating critiques.
The main hosts for the evening were Sophia d'Antoine and Ian Roos, respectively founder and researcher at Margin Research. D'Antoine played it straight in a classic green dress and long white graphic jacket, dropping acid comments and bons mots. Roos was the Costello to her Abbott, decked out in the sartorial equivalent of the impulse-buy rack at a corner liquor store and occasionally drinking beer from a can.
Red Balloon Security founder and CEO Ang Cui, who crafted the statuettes, split the difference in a tuxedo with a reversible sassy-to-classy jacket. The trio was joined by other hosts including Supriya Mazumdar, who shared a series of jokes relating to the Tesla RCE bug, such as saying that executing the exploit was like "shooting fish in Elon Musk's barrel chest."
Here is a roundup of the greatest highs, lowest lows, and most interesting twists and sparks in the world of cybersecurity.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024