The 2021 Tianfu Cup, China’s largest hacking competition, was successfully completed last weekend, replicating the success of the Pwn2Own tournament. These tournaments announce targets a few months in advance and award prize dollars for specific hacking successes. A number of commonly used systems such as Windows 10, Ubuntu 20, and iOS 15 were hacked by Chinese security researchers using newly developed zero-day vulnerabilities demonstrated publicly for the first time during the tournament. These included a zero interaction RCE vulnerability in iOS 15 as well as a two-step arbitrary remote code execution in Google Chrome.
Analyst Notes
The proliferation of contests such as Pwn2Own and Tianfu Cup demonstrate that with financial incentive, security researchers will find new, undisclosed, or publicly unknown zero-day vulnerabilities. This means that network perimeter security, while an important component of risk management and mitigation, cannot be the primary means of mitigating risk from advanced threats. Due to the increase in for-sale solutions and affiliate partnerships among the black-hat criminal underground, financially motivated groups have greater access than ever before to advanced techniques or code that fully weaponizes new vulnerabilities. Therefore, a robust and comprehensive program that focuses on post-exploitation detection, including both systematic threat hunting and comprehensive Managed Detection and Response (MDR), is necessary in today’s threat environment for organizations at risk.
https://therecord.media/windows-10-ios-15-ubuntu-chrome-fall-at-chinas-tianfu-hacking-contest/
