During Week 01, the Zero Day Initiative (ZDI) and other major research groups finalized their target scopes for the upcoming Pwn2Own Vancouver 2024 contest. These "Hitlists" serve as a forecast for where the most critical 0day vulnerabilities are likely to be discovered or demonstrated in the coming months.
Date: January 10, 2024 (Week 01102024) Author: Threat Intelligence Desk Classification: TLP:CLEAR
The ZDI announced the categories and specific targets, effectively creating a "bounty hitlist" for researchers: 0day and hitlist week 01102024 work
The work done during week 01102024 highlights a maturation of the threat landscape.
Preparation:
Response:
At the start of the week, a Type Confusion in the Turbofan JIT compiler (Issue 41497621) was being actively exploited in the wild. The hitlist for this 0day specifically included financial auditors and crypto wallet users. The exploit bypassed the V8 sandbox by confusing the compiler about a JSTypedArray object’s length. A simple Array.prototype.map call on a malicious website was enough to execute shellcode. During Week 01, the Zero Day Initiative (ZDI)
The "Work" factor: Due to the complexity of crafting a reliable trigger, only APT groups (specifically TA544 and DarkHotel) were seen using this in high-value spear-phishing campaigns.
The hitlist from 01102024 proved that attackers are moving away from generic ransomware to strategic compromise. The inclusion of Git repos and CRM systems indicates a shift toward "living off the land" for espionage, not just extortion. Enterprise Applications:
Despite the CLFS 0day affecting modern OS, the hitlist prioritized unpatched Server 2012 R2 boxes because they are often forgotten in patch cycles but still hold the KRBTGT hash for Golden Ticket attacks.