During the weekend of 16-17 October, Chinese hackers went on something of a rampage that saw all but three of the 15 target products breached during the exploit onslaught that was the Tianfu Cup. This annual competition, held in the Sichuan province of Chengdu, has been the go-to for China’s elite hackers since they were banned from participating in similar competitive hacking events outside of the country. The biggest and best known of these, Pwn2Own, is due to take place in Austin, Texas, 2-5 November, and I will be reporting on that next weekend when the results are known.
In the meantime, what of the massive Tianfu Cup cybersecurity onslaught? Well, I’ve already reported how the iPhone 13 Pro, running a fully patched (at the time) version of iOS 15.0.2, was breached not once but twice. The zero-day vulnerabilities, exploited by the Kunlun Lab and Team Pangu in a matter of seconds on the day, saw a remote code execution attack and the first iOS 15 jailbreak.
As well as the attacks on Apple iOS and Safari, there were a whole host of other victims. These included Microsoft, which saw five successful exploits involving the Windows 10 operating system, one impacting Microsoft Exchange, and Google, which saw Chrome succumb twice. But the list is far from over: Adobe PDF, the Asus AX56U router, Docker CE, Parallels VM, QEMA VM, Ubuntu 20, VMware ESXi and Workstation were also successfully hacked.
Full details of the vulnerabilities exploited and the exploits themselves will filter into the public domain in the coming months. Meanwhile, full disclosure of the security flaws would have been immediately made to all the affected vendors.
The security industry hacking competition debate
“The first thing to note is the in-group, out-group divide here,” says Sam Curry, the chief security officer at Cybereason. Curry told me that there’s a sense that China has the “critical mass and doesn’t need to collaborate to innovate in hacking,” in what he called a kind of U.S. versus them situation. Curry sees the Tianfu Cup, with the months of preparation that lead up to the almost theatrical on-stage reveal, as a show of force. “This is the cyber equivalent of flying planes over Taiwan,” he says, adding the positive being that the exploits will be disclosed to the vendors.
There are, of course, lots of positives about a hacking competition, such as the Tianfu Cup or Pwn2Own. “The security researchers involved in these schemes can be an addition to existing security teams and provide additional eyes on an organisation’s products,” George Papamargaritis, the managed security service director at Obrela Security Industries, says, “meaning bugs will be unearthed and disclosed before cybercriminals get a chance to discover them and exploit them maliciously.” Indeed, in terms of event style, Kristina Balaam, a senior security intelligence engineer at Lookout says, there’s not much difference between the two. “Both give hackers relative free rein over the products they’re attempting to exploit,” Balaam told me, “and the cash prizes can rival some of the most popular professional sporting events.”
But, of course, with any hacking competition that relies on discovering zero-days, and less on an emulated environment like capture the flag events, “there’s the risk of a participant either selling or exploiting the vulnerabilities they have found outside the confines of the competition,” she adds. It is assumed to be a given, therefore, that the hackers taking part will not disclose their exploits and the vulnerabilities used until the vendors have had adequate time to issue a fix. “This kind of etiquette is known as responsible disclosure, or more recently coordinated disclosure, Jonathan Knudsen, a senior security strategist at the Synopsys Software Integrity Group, explains. “When it works, it is a beautiful dance,” he says.
Dancing to a different vulnerability disclosure beat?
But what if someone is dancing to a different beat? Following the 2019 Tianfu Cup, Apple blogged that an attack had impacted iOS over a period of a couple of months. An MIT Technology Review article suggested this was “the period beginning immediately after,” the Tianfu Cup event, “and stretching until Apple issued the fix.” That article went on to suggest that “virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group.” This, then, begs the question of whether the Tianfu Cup, in particular, can be seen as a net gain or, on balance, is it a negative thing?
Suppose there are strict guidelines for such events that vulnerabilities must not be disclosed until after successful mitigation by the vendor. In that case, they are a good thing, according to Balaam. “That’s where the Tianfu Cup proves a bit more concerning,” she says. “China implemented a law on 1 September 2021 that would require any Chinese citizen to disclose a zero-day vulnerability they have found to the government,” Balaam explains, adding that they are also required “not to sell or give any details about the vulnerability to any third-party actor.” This, Balaam agrees, is good and would prevent sales to mercenary malware developers if followed.
However, she warns that it also means “the Chinese government could stockpile a significant number of zero-days against widely used products in other regions and have access to the knowledge required to exploit these products before they’re successfully patched.”
Jake Williams, the co-founder of BreachQuest, doesn’t think it’s clear that events such as these increase the risk that Chinese state threat actors exploit vulnerabilities before disclosure. “Researchers do often retain vulnerabilities they’ve discovered in order to use them in competitions like these,” he says, adding, “but it’s important to consider the reason they stockpile vulnerabilities for competitions rather than disclosing them immediately to impacted vendors.” Simply put, the competitions pay, while vendors typically do not, according to Williams. “Even when vendors have implemented bug bounties, these usually pay pennies on the dollar compared to prizes won at competitions,” he says, “if vendors dislike the vulnerability competition ecosystem, they have the power to disrupt its market economics.”
Williams concludes that “we shouldn’t be concerned about the Tianfu Cup any more than any other vulnerability competition,” instead, he says, “we should refocus that concern on the fact that vendor disclosure programs encourage competitions like the Tianfu Cup.”
Which vendors have already released Tianfu Cup security fixes?
I reached out to all the vendors whose products fell to exploits during the Tianfu Cup weekend, requesting a statement regarding patching timelines for the vulnerabilities concerned. Unfortunately, the response has, if I’m honest, been very disappointing indeed.
A Microsoft spokesperson told me that “all vulnerabilities reported as part of the contest are disclosed responsibly and confidentially. Solutions to verified security issues that meet our criteria for immediate servicing are normally released via our monthly Update Tuesday cadence.” So, without confirming as much specifically, there is some hope that patches for the Windows 10 and Microsoft Exchange vulnerabilities on Tuesday, 9 November.
Google didn’t provide a statement but did confirm for background purposes that it will roll out any patches required once issues are investigated thoroughly. However, according to Google’s security blog it would appear that the two vulnerabilities exploited during the Tianfu Cup have been fixed in Chrome 95.0.4638.69, which started rolling out on Thursday, 28 October.
CVE-2021-38001, a type confusion vulnerability in V8 reported by @s0rrymybad of Kunlun Lab via Tianfu Cup and CVE-2021-38002, a use after free vulnerability in Web Transport reported by @__R0ng of 360 Alpha Lab via Tianfu Cup. These were among the biggest money-earners at the competition, with $150,000 being awarded for each.
The only other vendor that responded to my request for more information at the time of publication was Red Hat regarding a vulnerability in the QEMA VM. Unfortunately, the Red Hat security had nothing that could be shared with me.
I will, of course, update this article if and when I hear anything from the remaining vendors, which are Adobe, Apple, Asus, Canonical, Docker, Parallels and VMware. In the meantime, my advice is to keep an eye out for security updates and apply them as soon as you can if you are a user of Adobe PDF, Apple iOS and Safari, Asus AX56U router, Docker CE, Microsoft Exchange and Windows 10, Parallels VM, QEMA VM, Ubuntu 20 or VMware ESXi and Workstation.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here