A prize pool of $2.5 million is being offered at an upcoming Chinese hacking contest for exploits targeting a wide range of technology products, particularly ones made in the West.
The competition, named Matrix Cup, is being described as “the Eastern hemisphere’s top cybersecurity competition”. Set to take place on June 26-28, Matrix Cup is sponsored by Chinese cybersecurity firm Qihoo 360 and Beijing Huayun’an Information Technology.
Organizers are offering a total of 20 million yuan ($2.75 million) to participants, including 18 million yuan ($2.5 million) for zero-day exploits.
The list of targets includes the Windows, Linux and macOS operating systems; Samsung Galaxy, Google Pixel, iPhone and several China-made smartphone brands; enterprise products from Microsoft, Zimbra, F5 and Citrix; networking devices from Cisco, Juniper Networks, Sonicwall and Linksys; NAS devices from WD, Synology and QNAP; and cybersecurity products from Fortinet, Checkpoint, Cisco, Ivanti (Pulse Secure), and Kaspersky.
Targets also include databases such as MariaDB, SQL Server, MySQL, and Oracle Database; enterprise tools such as Adobe Reader, Microsoft Teams, Zoom and Microsoft Office; the Chrome, Firefox, Edge and Safari web browsers; VMware, QEMU, Docker, Microsoft and Oracle virtualization technologies; an HP multi-functional printer; and the Hadoop data storage and processing framework.
Organizers say the goal is to address the cybersecurity challenges posed by new technologies, lower the level of risk, and improve the security of products. No information appears to be provided on the Chinese-language website set up for Matrix Cup on whether the demonstrated vulnerabilities will be reported to the affected vendors.
Chinese hacking competitions often compare themselves to the North America-based Pwn2Own, which every year pays out significant amounts of money for software, IoT, ICS and automotive exploits. At the latest Pwn2Own, participants earned a total of $1.1 million for their work.
One of the most well known Chinese hacking contests is the Tianfu Cup. At the 2021 event, participants earned a total of $1.9 million for iOS, Chrome, Windows, VMware and other types of exploits. Tianfu Cup took a break in 2022, and the 2023 event shifted focus to domestic products from companies such as Huawei, Xiaomi, Tencent and Qihoo 360. Little information is available on the results of the 2023 event.
Unlike in the case of Pwn2Own, which clearly states that findings are immediately reported to impacted vendors, details are murky regarding the disclosure of Tianfu Cup exploits to vendors. Several vulnerabilities presented at Tianfu Cup are known to have been patched by vendors, albeit months after their discovery in some cases.
Chinese law dictates that zero-day vulnerabilities found by citizens must be promptly disclosed to the government. The details of a security hole cannot be sold or provided to any third-party, apart from the product’s manufacturer. The cybersecurity industry has raised concerns that the law will help the Chinese government stockpile zero-days.
Indeed, one year after the law came into effect, Microsoft said it had contributed to a zero-day exploit surge. Threat actors believed to be sponsored by the Chinese government regularly leverage zero-day vulnerabilities in their attacks, including against the US government and affiliated entities.
Related: US-China Competition to Field Military Drone Swarms Could Fuel Global Arms Race
Related: ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China