Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Zero-Day Exploits Earn Hackers Over $500K at Chinese Competition

White hat hackers have earned $545,000 for successfully demonstrating zero-day exploits targeting products from VMware, Microsoft, Google, Apple, D-Link, and Adobe at the 2019 Tianfu Cup hacking competition that took place over the weekend in Chengdu, the capital of China’s Sichuan province.

White hat hackers have earned $545,000 for successfully demonstrating zero-day exploits targeting products from VMware, Microsoft, Google, Apple, D-Link, and Adobe at the 2019 Tianfu Cup hacking competition that took place over the weekend in Chengdu, the capital of China’s Sichuan province.

The highest single reward, $200,000, was received by the team named 360Vulcan for a VMware exploit that allows an attacker to escape from the guest virtual machine to the host.

VMware representatives were present at the event and confirmed that the exploit was successful against its VMware vSphere ESXi product. The company says it’s investigating the security flaws that made the attack possible and is working on addressing them. After last year’s Tianfu Cup, it took VMware only a few days to patch a $100,000-worth vulnerability disclosed at the contest.

The 360Vulcan team also demonstrated attacks against Microsoft Office, Microsoft Edge, Adobe Reader, and qemu-kvm on Ubuntu. The qemu-kvm vulnerabilities earned them $80,000, Edge vulnerabilities earned them $55,000, and for the Office exploit they received $40,000.

The 360Vulcan team was declared the winner of the Tianfu Cup, earning a total of $382,500 for their exploits.

Other participants demonstrated that they can hack Chrome, Safari, D-Link routers, and Adobe Reader.

The second-place team, ddd Team, earned a total of $83,750 for exploits targeting Edge, Chrome, Adobe Reader, and D-Link routers.

TIANFU Cup 2019 results

There were nearly 30 cases where the exploits either failed or participants simply gave up on their attempt. These targeted Edge, Chrome, Safari, Adobe Reader, Oracle VirtualBox, TP-Link and D-Link routers, Windows Server 2019, VMware Workstation, and the iPhone 11 Pro.

According to organizers, 11 teams demonstrated 20 successful exploit chains against eight products, which earned them a total of $545,000. It’s worth noting that last year’s event resulted in payouts totaling over $1 million.

Related: VMware Patches Flaws Disclosed at Pwn2Own 2019

Related: Bug Hunters Hack Samsung Galaxy S10, Xiaomi Mi9 at Pwn2Own

Related: Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.