Winning at the first time of participation

VCS, located in Keangnam building, Pham Hung street, is home to international-level hackers. At Pwn2Own 2021, two experts, Pham Van Khanh (born 1992) and Dao Trong Nghia (born 1998), won the “Local Escalation of Privilege” and “Servers” categories. This is the first time Khanh and Nghia have participated in this contest.

leftcenterrightdel
Pham Van Khanh (left) and Dao Trong Nghia in the contest

Khanh graduated from Hanoi University of Science and Technology, majoring in information technology, while Nghia studied at FPT University, specializing in software vulnerabilities. At VCS, they have received the most favorable conditions to explore computer technology and try their hand at world-class playgrounds.

Pwn2Own, one of the world’s largest cyber-attack competitions, has been held annually since 2007 with bonuses of up to millions of USD, attracting the participation of global security experts. This is an occasion for well-known technology firms to bring their products to challenge “legal hackers.” About three months before the competition, the organizing panel announces the rules, equipment, and software that will become the target for registered contestants.

In 2021, about 23 teams and researchers participated in the Pwn2Own to find Microsoft Windows 10 errors in the Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and Enterprise Communications categories.

According to Khanh, an expert in web security for the VCS’s System and Application Security Division, the organizing panel announced a target for attack on January 1, 2021. Initially, he chose Microsoft Sharepoint Software. However, about a month ahead of the competition, Microsoft announced a critical vulnerability called ProxyLogon in Microsoft Exchange. Then, he decided to research this vulnerability.

As a result, Khanh found a similar vulnerability. Combined with some other vulnerabilities and some other techniques, he wrote the complete code for the competition.

Meanwhile, Nghia, a software vulnerability expert in the company’s Malware and Vulnerability Division, said that he himself found new ways of attack for the vulnerabilities that he had known  before.

They completed the Servers category with success. Nevertheless, right after that, the organizing panel said that the team had two-thirds of the vulnerabilities, the same as the first team, thus only getting a partial-win with 7.5 points instead of 20 points. “We felt quite satisfied with the result,” Khanh added.

At the Local Escalation of Privilege, they performed excellently. At the end, the VCS team won two categories, with a total of 11.5 points, ranked fifth in total, and brought home USD 80,000.

Participating in Pwn2Own twice, VCS experts remarkably won in the categories that they had competed in. In 2020, VCS sent Ngo Anh Huy (born 1989) and Do Quang Thanh (born 1996) to the Pwn2Own, and they were winners in the SmartTV category.

Further competing in the international arena

VCS is home to excellent experts, making remarkable contribution to ensuring cyber security. Not only excelling in researching and finding vulnerabilities, VCS experts are also invited to attend and share experience at prestigious and world-famous security conferences such as Black Hat USA, Black Hat Europe, and seminars for professionals hosted by Microsoft or Google, among others.

Khanh’s daily work at VCS is researching new cyber-attack techniques and finding security holes. In addition, he also trains students. Meanwhile, Nghia specializes in researching and analyzing published vulnerabilities, finding vulnerabilities, and researching and creating new cyber-attack techniques. He usually spends 30 minutes per day updating information about information security, and cyber-attack methods in the world.

Besides, VCS hackers also participate in international forums to exchange ideas with computer experts.

According to Mr. Nguyen Xuan Nam, VCS’s Strategy Director, although there are many cyber security competitions, they have decided to focus on quality instead of quantity. Quality means the size of the competition and the opportunities for young staff to exchange and learn from each contest.

The achievements of the VCS team at Pwn2Own 2021 once affirmed the pioneering role of the company in the field of in-depth research on information security in Vietnam while contributing to improving the status of Vietnam in information security as assessed by the International Telecommunication Union.

Together with VCS, other units and enterprises in this field, such as the National Cyber Security Center (NCSC), VNPT, BKAV, VinCSS, VNCS, etc., are striving to realize the target of turning Vietnam into a power in cyber safety and security, as cyber security is becoming a global challenge.

Translated by Minh Anh