Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Zero-Day Exploits Earn Hackers Over $500K at Chinese Competition

White hat hackers have earned $545,000 for successfully demonstrating zero-day exploits targeting products from VMware, Microsoft, Google, Apple, D-Link, and Adobe at the 2019 Tianfu Cup hacking competition that took place over the weekend in Chengdu, the capital of China’s Sichuan province.

White hat hackers have earned $545,000 for successfully demonstrating zero-day exploits targeting products from VMware, Microsoft, Google, Apple, D-Link, and Adobe at the 2019 Tianfu Cup hacking competition that took place over the weekend in Chengdu, the capital of China’s Sichuan province.

The highest single reward, $200,000, was received by the team named 360Vulcan for a VMware exploit that allows an attacker to escape from the guest virtual machine to the host.

VMware representatives were present at the event and confirmed that the exploit was successful against its VMware vSphere ESXi product. The company says it’s investigating the security flaws that made the attack possible and is working on addressing them. After last year’s Tianfu Cup, it took VMware only a few days to patch a $100,000-worth vulnerability disclosed at the contest.

The 360Vulcan team also demonstrated attacks against Microsoft Office, Microsoft Edge, Adobe Reader, and qemu-kvm on Ubuntu. The qemu-kvm vulnerabilities earned them $80,000, Edge vulnerabilities earned them $55,000, and for the Office exploit they received $40,000.

The 360Vulcan team was declared the winner of the Tianfu Cup, earning a total of $382,500 for their exploits.

Other participants demonstrated that they can hack Chrome, Safari, D-Link routers, and Adobe Reader.

The second-place team, ddd Team, earned a total of $83,750 for exploits targeting Edge, Chrome, Adobe Reader, and D-Link routers.

TIANFU Cup 2019 results

There were nearly 30 cases where the exploits either failed or participants simply gave up on their attempt. These targeted Edge, Chrome, Safari, Adobe Reader, Oracle VirtualBox, TP-Link and D-Link routers, Windows Server 2019, VMware Workstation, and the iPhone 11 Pro.

Advertisement. Scroll to continue reading.

According to organizers, 11 teams demonstrated 20 successful exploit chains against eight products, which earned them a total of $545,000. It’s worth noting that last year’s event resulted in payouts totaling over $1 million.

Related: VMware Patches Flaws Disclosed at Pwn2Own 2019

Related: Bug Hunters Hack Samsung Galaxy S10, Xiaomi Mi9 at Pwn2Own

Related: Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.