China launches its Pwn2Own

[Father]

China is launching its Pwn2Own called Matrix Cup, modeled after another well-known Chinese hacking contest, the Tianfu Cup.

The new Chinese duel was quickly called "the main cybersecurity competition in the eastern hemisphere."

The prize pool for the first stage will be 20 million yuan ($2.75 million), including 18 million yuan ($2.5 million) for 0-day exploits.

It will be held on June 26-28 in Qingdao, organized by Qihoo 360 and Beijing Huayun'an Information Technology.

The target list includes Chinese and Western products, as well as artificial intelligence algorithms.

Among them: Windows, Linux and macOS operating systems, Samsung Galaxy devices, Google Pixel, iPhone and other Chinese brands, corporate products from Microsoft, Zimbra, F5 and Citrix, network devices from Cisco, Juniper Networks, Sonicwall and Linksys, NAS devices from WD, Synology and QNAP, as well as security solutions from Fortinet, Checkpoint, Cisco, Ivanti, and Kaspersky.

In addition, MariaDB, SQL Server, MySQL, and Oracle Database products, Adobe Reader, Microsoft Teams, Zoom, and Microsoft Office tools, Chrome, Firefox, Edge, and Safari browsers, VMware, QEMU, Docker, Microsoft, and Oracle virtualization technologies, HP printers, and the Hadoop platform are announced.

The truth about how suppliers will be informed is not mentioned on the official website, unlike the same Pwn2Own from Trend Micro.

We can only state that according to Chinese law, in any case, the Government of the People's Republic of China will be informed first of all about all 0-days.

However, in the West, the Chinese equivalent of Pwn2Own is actively criticized, accusing it of using exploits that appeared on Tianfu Cup in APT operations.

On the other hand, Western opponents have repeatedly come across the fact that the same 0-day was implemented at the development stage, and then fixed retroactively in their ballots. Microsoft won't let you lie.

 

[Carding Forum]

Chinese competition promises millions of dollars for best vulnerabilities

In May 2024, the new Matrix Cup hacking competition was opened in Qingdao, Shandong Province . This is a large-scale event organized by 360 Digital Security Group and Beijing Huayunan Information Technology Co. (also known as VUL.AI), became the largest cybersecurity competition in the Eastern Hemisphere.

Competition structure and objectives

The Matrix Cup includes five different challenges covering all major areas of hacking competitions : three tracks on finding vulnerabilities, one Capture-the-Flag (CTF) challenge, and one Artificial intelligence (AI) challenge. The total prize pool of the contest was 18 million yuan (about 2.48 million US dollars), with additional rewards for AI and CTF challenges.

Competitive tracks

• General Products Contest-probably includes Western operating systems, browsers, network devices, and mobile devices.

* Domestic Software and Hardware Products Contest-includes Chinese operating systems, routers, and VPNs.

* The Original Vulnerability Discovery Contest is aimed at students and focuses on Chinese-made products.

Special attention is paid to developing and supporting cybersecurity talent, which is in line with China's policy of reducing dependence on foreign suppliers and increasing self-sufficiency in high-tech.

Contest results

According to the results of the competition, about 100 vulnerabilities were identified in well - known software and hardware products, including several medium-and high-risk vulnerabilities. In the general product competition, Tsinghua University's TZL team won the Best Vulnerability award for discovering a vulnerability in the virtualization management platform with the largest market share. The AAA team from Zhejiang University hacked the system core of major mobile operating systems.

Implications for China's strategy

The Matrix Cup has become an important element in China's strategy to develop offensive and defensive cyber capabilities. The competition is aimed at identifying, training and attracting the best specialists in the field of cybersecurity. The participation and success of university teams highlights the importance of the young generation of specialists for the future of the country's cybersecurity.

Conclusion

The Matrix Cup complements the growing ecosystem of hacking contests in China by providing opportunities for local security researchers. In the short term, this increases the volume of available vulnerabilities for government agencies, and in the long term, it contributes to the development of China's national cyber capabilities.

• Source: https://www.securitylab.ru/news/550529.php

 

[Man]

An inside look at the ecosystem of hacking contests in China.

The Chinese Capture the Flag (CTF) competition ecosystem is considered one of the most developed in the world, uniting hundreds of teams annually. On the basis of such a system, national and industry competitions are held, which attract the attention of both students and professionals in the field of cybersecurity. Government support actively stimulates the development of such activities, which turns China into a leader in the training of cybersecurity specialists.

From 45 to 56 such competitions are held annually in the country, and 129 unique events have been identified for the entire time, 54 of which are repeated every year. Hundreds and even tens of thousands of people participate in the competition, as was the case with the Wangding Cup organized by the Ministry of Public Security, where the number of participants exceeded 35,000 people.

Competitions cover both national and industry levels, from medical and industrial competitions to competitions held by the armed forces. Government departments such as the Ministry of Education, the Cyberspace Administration of China and the Academy of Sciences play a key role in the development of competitions. Each of them supports one or more significant events at the national level, which contributes not only to the identification of talents, but also to the development of advanced technologies.

The Wangding Cup program demonstrates how competitions can become a tool for selecting specialists for government needs. The winners of such events are included in national cyber talent databases, which makes it easier to attract them to public and private structures. In addition to recruiting, the competition also serves as a platform to share knowledge and test new approaches in an environment that simulates real-world threats.

In addition to state events, private initiatives are actively developing in the country. An important element of the ecosystem is the XCTF League, Asia's largest hacker league, which annually brings together teams from all over the world, bringing together both domestic and international competitions.

Some competitions, such as RealWorldCTF, not only attract foreign participants to China, but also serve as a platform for establishing international contacts, including through private events such as GeekCon, which are held outside of China. This emphasizes the country's desire to develop international cooperation and attract foreign specialists.

Some events, such as the Zhujian Cup, are held in strict secrecy. Participants in such competitions, as a rule, are prohibited from disclosing the details of the competition, and are also obliged to remove all traces of their activities after completion. Such measures underscore the importance of competitions for national security and their possible use for intelligence purposes.

State support for such competitions is explained by China's desire to become a cyber power. The policy aimed at strengthening the talent pool and creating innovative solutions has been reflected in legislative initiatives in recent years. In particular, since 2018, a policy has been in place that regulates participation in international esports competitions and stimulates events within the country. This policy also requires participants to report vulnerabilities to government agencies, which strengthens control over information security.

PChina can become a benchmark for other countries. While a direct copy of the Chinese model is unlikely to be effective for a particular country, developed countries should consider the importance of such activities for training specialists and promoting innovation in the field of cybersecurity.

Source