CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

$2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest 

The Chinese hacking contest Matrix Cup is offering big rewards for exploits targeting OSs, smartphones, enterprise software, browsers, and security products.

Matrix Cup Chinese hacking contest

A prize pool of $2.5 million is being offered at an upcoming Chinese hacking contest for exploits targeting a wide range of technology products, particularly ones made in the West. 

The competition, named Matrix Cup, is being described as “the Eastern hemisphere’s top cybersecurity competition”. Set to take place on June 26-28, Matrix Cup is sponsored by Chinese cybersecurity firm Qihoo 360 and Beijing Huayun’an Information Technology.  

Organizers are offering a total of 20 million yuan ($2.75 million) to participants, including 18 million yuan ($2.5 million) for zero-day exploits. 

The list of targets includes the Windows, Linux and macOS operating systems; Samsung Galaxy, Google Pixel, iPhone and several China-made smartphone brands; enterprise products from Microsoft, Zimbra, F5 and Citrix; networking devices from Cisco, Juniper Networks, Sonicwall and Linksys; NAS devices from WD, Synology and QNAP; and cybersecurity products from Fortinet, Checkpoint, Cisco, Ivanti (Pulse Secure), and Kaspersky.

Targets also include databases such as MariaDB, SQL Server, MySQL, and Oracle Database; enterprise tools such as Adobe Reader, Microsoft Teams, Zoom and Microsoft Office; the Chrome, Firefox, Edge and Safari web browsers; VMware, QEMU, Docker, Microsoft and Oracle virtualization technologies; an HP multi-functional printer; and the Hadoop data storage and processing framework.

Organizers say the goal is to address the cybersecurity challenges posed by new technologies, lower the level of risk, and improve the security of products. No information appears to be provided on the Chinese-language website set up for Matrix Cup on whether the demonstrated vulnerabilities will be reported to the affected vendors. 

Chinese hacking competitions often compare themselves to the North America-based Pwn2Own, which every year pays out significant amounts of money for software, IoT, ICS and automotive exploits. At the latest Pwn2Own, participants earned a total of $1.1 million for their work.

One of the most well known Chinese hacking contests is the Tianfu Cup. At the 2021 event, participants earned a total of $1.9 million for iOS, Chrome, Windows, VMware and other types of exploits. Tianfu Cup took a break in 2022, and the 2023 event shifted focus to domestic products from companies such as Huawei, Xiaomi, Tencent and Qihoo 360. Little information is available on the results of the 2023 event.

Advertisement. Scroll to continue reading.

Unlike in the case of Pwn2Own, which clearly states that findings are immediately reported to impacted vendors, details are murky regarding the disclosure of Tianfu Cup exploits to vendors. Several vulnerabilities presented at Tianfu Cup are known to have been patched by vendors, albeit months after their discovery in some cases. 

Chinese law dictates that zero-day vulnerabilities found by citizens must be promptly disclosed to the government. The details of a security hole cannot be sold or provided to any third-party, apart from the product’s manufacturer. The cybersecurity industry has raised concerns that the law will help the Chinese government stockpile zero-days. 

Indeed, one year after the law came into effect, Microsoft said it had contributed to a zero-day exploit surge. Threat actors believed to be sponsored by the Chinese government regularly leverage zero-day vulnerabilities in their attacks, including against the US government and affiliated entities. 

Related: US-China Competition to Field Military Drone Swarms Could Fuel Global Arms Race

Related: ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.