Vulnerabilities

$2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest 

The Chinese hacking contest Matrix Cup is offering big rewards for exploits targeting OSs, smartphones, enterprise software, browsers, and security products.

Matrix Cup Chinese hacking contest

A prize pool of $2.5 million is being offered at an upcoming Chinese hacking contest for exploits targeting a wide range of technology products, particularly ones made in the West. 

The competition, named Matrix Cup, is being described as “the Eastern hemisphere’s top cybersecurity competition”. Set to take place on June 26-28, Matrix Cup is sponsored by Chinese cybersecurity firm Qihoo 360 and Beijing Huayun’an Information Technology.  

Organizers are offering a total of 20 million yuan ($2.75 million) to participants, including 18 million yuan ($2.5 million) for zero-day exploits. 

The list of targets includes the Windows, Linux and macOS operating systems; Samsung Galaxy, Google Pixel, iPhone and several China-made smartphone brands; enterprise products from Microsoft, Zimbra, F5 and Citrix; networking devices from Cisco, Juniper Networks, Sonicwall and Linksys; NAS devices from WD, Synology and QNAP; and cybersecurity products from Fortinet, Checkpoint, Cisco, Ivanti (Pulse Secure), and Kaspersky.

Targets also include databases such as MariaDB, SQL Server, MySQL, and Oracle Database; enterprise tools such as Adobe Reader, Microsoft Teams, Zoom and Microsoft Office; the Chrome, Firefox, Edge and Safari web browsers; VMware, QEMU, Docker, Microsoft and Oracle virtualization technologies; an HP multi-functional printer; and the Hadoop data storage and processing framework.

Organizers say the goal is to address the cybersecurity challenges posed by new technologies, lower the level of risk, and improve the security of products. No information appears to be provided on the Chinese-language website set up for Matrix Cup on whether the demonstrated vulnerabilities will be reported to the affected vendors. 

Chinese hacking competitions often compare themselves to the North America-based Pwn2Own, which every year pays out significant amounts of money for software, IoT, ICS and automotive exploits. At the latest Pwn2Own, participants earned a total of $1.1 million for their work.

One of the most well known Chinese hacking contests is the Tianfu Cup. At the 2021 event, participants earned a total of $1.9 million for iOS, Chrome, Windows, VMware and other types of exploits. Tianfu Cup took a break in 2022, and the 2023 event shifted focus to domestic products from companies such as Huawei, Xiaomi, Tencent and Qihoo 360. Little information is available on the results of the 2023 event.

Advertisement. Scroll to continue reading.

Unlike in the case of Pwn2Own, which clearly states that findings are immediately reported to impacted vendors, details are murky regarding the disclosure of Tianfu Cup exploits to vendors. Several vulnerabilities presented at Tianfu Cup are known to have been patched by vendors, albeit months after their discovery in some cases. 

Chinese law dictates that zero-day vulnerabilities found by citizens must be promptly disclosed to the government. The details of a security hole cannot be sold or provided to any third-party, apart from the product’s manufacturer. The cybersecurity industry has raised concerns that the law will help the Chinese government stockpile zero-days. 

Indeed, one year after the law came into effect, Microsoft said it had contributed to a zero-day exploit surge. Threat actors believed to be sponsored by the Chinese government regularly leverage zero-day vulnerabilities in their attacks, including against the US government and affiliated entities. 

Related: US-China Competition to Field Military Drone Swarms Could Fuel Global Arms Race

Related: ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China

Related Content

Cybercrime

A Zambian court has sentenced 22 Chinese nationals to long prison terms for cybercrimes that included internet fraud and online scams targeting Zambians and...

Cybercrime

The US government has announced sanctions against three Chinese nationals accused of creating and operating the 911 S5 proxy botnet.

Nation-State

Unfading Sea Haze has been targeting military and government entities in South China Sea countries since 2018.

Artificial Intelligence

China’s official Xinhua news agency said the two sides would take up issues including the technological risks of AI and global governance.

Data Breaches

The UK Ministry of Defense said a breach at a third-party payroll system exposed as many as 272,000 armed forces personnel and veterans.

ICS/OT

As cyber threats grow more sophisticated, America cannot afford complacency. The time for decisive action and enhanced cyber resilience is now.

Nation-State

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

Network Security

While China-linked Muddling Meerkat’s operations look like DNS DDoS attacks, it seems unlikely that denial of service is their goal, at least in the...

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version