Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

$2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest 

The Chinese hacking contest Matrix Cup is offering big rewards for exploits targeting OSs, smartphones, enterprise software, browsers, and security products.

Matrix Cup Chinese hacking contest

A prize pool of $2.5 million is being offered at an upcoming Chinese hacking contest for exploits targeting a wide range of technology products, particularly ones made in the West. 

The competition, named Matrix Cup, is being described as “the Eastern hemisphere’s top cybersecurity competition”. Set to take place on June 26-28, Matrix Cup is sponsored by Chinese cybersecurity firm Qihoo 360 and Beijing Huayun’an Information Technology.  

Organizers are offering a total of 20 million yuan ($2.75 million) to participants, including 18 million yuan ($2.5 million) for zero-day exploits. 

The list of targets includes the Windows, Linux and macOS operating systems; Samsung Galaxy, Google Pixel, iPhone and several China-made smartphone brands; enterprise products from Microsoft, Zimbra, F5 and Citrix; networking devices from Cisco, Juniper Networks, Sonicwall and Linksys; NAS devices from WD, Synology and QNAP; and cybersecurity products from Fortinet, Checkpoint, Cisco, Ivanti (Pulse Secure), and Kaspersky.

Targets also include databases such as MariaDB, SQL Server, MySQL, and Oracle Database; enterprise tools such as Adobe Reader, Microsoft Teams, Zoom and Microsoft Office; the Chrome, Firefox, Edge and Safari web browsers; VMware, QEMU, Docker, Microsoft and Oracle virtualization technologies; an HP multi-functional printer; and the Hadoop data storage and processing framework.

Organizers say the goal is to address the cybersecurity challenges posed by new technologies, lower the level of risk, and improve the security of products. No information appears to be provided on the Chinese-language website set up for Matrix Cup on whether the demonstrated vulnerabilities will be reported to the affected vendors. 

Chinese hacking competitions often compare themselves to the North America-based Pwn2Own, which every year pays out significant amounts of money for software, IoT, ICS and automotive exploits. At the latest Pwn2Own, participants earned a total of $1.1 million for their work.

One of the most well known Chinese hacking contests is the Tianfu Cup. At the 2021 event, participants earned a total of $1.9 million for iOS, Chrome, Windows, VMware and other types of exploits. Tianfu Cup took a break in 2022, and the 2023 event shifted focus to domestic products from companies such as Huawei, Xiaomi, Tencent and Qihoo 360. Little information is available on the results of the 2023 event.

Advertisement. Scroll to continue reading.

Unlike in the case of Pwn2Own, which clearly states that findings are immediately reported to impacted vendors, details are murky regarding the disclosure of Tianfu Cup exploits to vendors. Several vulnerabilities presented at Tianfu Cup are known to have been patched by vendors, albeit months after their discovery in some cases. 

Chinese law dictates that zero-day vulnerabilities found by citizens must be promptly disclosed to the government. The details of a security hole cannot be sold or provided to any third-party, apart from the product’s manufacturer. The cybersecurity industry has raised concerns that the law will help the Chinese government stockpile zero-days. 

Indeed, one year after the law came into effect, Microsoft said it had contributed to a zero-day exploit surge. Threat actors believed to be sponsored by the Chinese government regularly leverage zero-day vulnerabilities in their attacks, including against the US government and affiliated entities. 

Related: US-China Competition to Field Military Drone Swarms Could Fuel Global Arms Race

Related: ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights