Over the weekend of October 16-17, Chinese hackers embarked on a sort of rampage that saw all but three target products violated in the Tianfu Cup exploit attack. . This annual competition, held in Sichuan Province in Chengdu, has been a must-see for China’s elite hackers since they were banned from participating in similar competitive hacking events outside the country. The biggest and best-known of these, Pwn2Own, is set to take place in Austin, Texas, November 2-5, and I will report back next weekend when the results are known.
In the meantime, what about the massive Tianfu Cup cybersecurity attack? Well, I have already reported how the iPhone 13 Pro, running a fully patched (at the time) version of iOS 15.0.2, was breached not once but twice. The zero-day vulnerabilities, exploited by Kunlun Lab and Team Pangu within seconds of the day, saw a remote code execution attack and the first iOS 15 jailbreak.
In addition to the attacks on Apple iOS and Safari, there have been a host of other casualties. These include Microsoft, which has seen five successful exploits involving the Windows 10 operating system, one impacting Microsoft Exchange, and Google, which has seen Chrome fall twice on the sword of security. But the list is far from over: Adobe PDF, Asus AX56U router, Docker CE, Parallels VM, QEMA VM, Ubuntu 20, VMware ESXi and Workstation have also been successfully hacked.
Full details of the vulnerabilities exploited and the exploits themselves will be made public in the coming months. Meanwhile, full disclosure of the security vulnerabilities was reportedly immediately made to all affected vendors.
The debate over hacking competition in the security industry
“The first thing to note is the division within and outside the group here,” says Sam Curry, security manager at Cybereason. Curry told me that there is a feeling that China has the “critical mass and does not need to collaborate to innovate in hacking” in what he called a sort of US situation. against them. Curry sees the Tianfu Cup, with the months of preparation leading up to the almost theatrical stage reveal, as a show of strength. “It’s the cyber equivalent of flying planes over Taiwan,” he said, adding that the good thing is that the exploits will be disclosed to the vendors.
There are of course a lot of positives about a hacking competition, like the Tianfu Cup or Pwn2Own. “Security researchers involved in these programs can be an addition to existing security teams and provide additional eyes to an organization’s products,” said George Papamargaritis, director of managed security services at Obrela Security Industries, “this which means that bugs will be discovered and disclosed before cybercriminals have the opportunity to discover them and maliciously exploit them. ” Indeed, in terms of event style, according to Kristina Balaam, senior security intelligence engineer at Lookout, there isn’t much of a difference between the two. “Both give hackers relative freedom over the products they attempt to exploit,” Balaam told me, “and the cash prizes can rival some of the more popular professional sporting events.”
But, of course, with any hacking competition that relies on zero-day discovery, and less on an emulated environment like flag capture events, “there is the risk that a participant will sell or exploit the vulnerabilities. that it found outside the bounds of competition, ”she adds. release a fix. ”This type of label is known as responsible disclosure, or more recently coordinated disclosure, says Jonathan Knudsen, senior security strategist at Synopsys Software Integrity Group. “When it works, it’s a beautiful dance,” he says.
Dance to a different beat for the disclosure of vulnerabilities?
But what if someone dances to a different beat? After the 2019 Tianfu Cup, Apple wrote on its blog that an attack impacted iOS over a period of a few months. An MIT Technology Review article suggested that this was “the period beginning immediately after”, “the Tianfu Cup event”, “and extending until Apple releases the patch.” This article went on to suggest that “almost overnight Chinese intelligence used it as a weapon against a besieged ethnic minority group.” So that raises the question of whether the Tianfu Cup, in particular, can be seen as a net gain or, overall, is it a negative thing?
Suppose there are strict guidelines for such events that vulnerabilities should only be disclosed after successful mitigation by the vendor. In this case, they are a good thing, according to Balaam. “This is where the Tianfu Cup is a little more worrying,” she said. “China implemented a law on September 1, 2021 that would require any Chinese citizen to disclose a zero-day vulnerability that they discovered to the government,” Balaam explains, adding that they are also required “not to sell or give details of the vulnerability. to any third party player. ”This, Balaam agrees, is good and would prevent sales to mercenary malware developers if followed.
However, she warns that this also means that “the Chinese government could stockpile a significant number of zero-day products against products that are widely used in other regions and have access to the knowledge to operate those products before they are properly released. corrected “.
Jake Williams, the co-founder of BreachQuest, doesn’t think it’s clear that such events increase the risk that Chinese state threat actors will exploit vulnerabilities before disclosing them. “Researchers often withhold vulnerabilities they have discovered in order to use them in competitions like these,” he says, adding, “but it’s important to consider why they store vulnerabilities for competitions instead. than to disclose them immediately to the suppliers concerned. ” Put simply, competitions pay, while sellers typically don’t, according to Williams. “Even when vendors have bug bounties in place, these typically pay pennies on the dollar against prizes won in competitions,” he says, “though vendors don’t like the ecosystem of the competition by vulnerability, they have the power to disrupt its market economy. “
Williams concludes that “we shouldn’t be concerned about the Tianfu Cup more than any other vulnerability competition,” he said, “we should refocus this concern on the fact that vendor disclosure programs encourage competitions like the Tianfu. Cup “.
Which vendors have already released security patches for the Tianfu Cup?
I contacted all vendors whose products failed during the Tianfu Cup weekend, requesting a statement regarding the patch deadlines for the affected vulnerabilities. Unfortunately, if I am being honest, the response has been very disappointing.
A Microsoft spokesperson told me that “All vulnerabilities reported in the competition are disclosed responsibly and confidentially. Solutions to verified security issues that meet our criteria for immediate service are normally released through our cadence. monthly update from Tuesday “. So, without confirming it specifically, there is some hope that fixes for the vulnerabilities in Windows 10 and Microsoft Exchange on Tuesday, November 9.
Google has not provided a statement, but has confirmed for background purposes that it will roll out any necessary fixes once the issues are thoroughly investigated. However, according to Google’s security blog, it appears that the two vulnerabilities exploited during the Tianfu Cup have been fixed in Chrome 95.0.4638.69, the deployment of which began on Thursday, October 28.
CVE-2021-38001, a type confusion vulnerability in V8 reported by @ s0rrymybad of Kunlun Lab via Tianfu Cup and CVE-2021-38001, use after gratuitous vulnerability in Web Transport reported by @__ R0ng of 360 Alpha Lab via Tianfu Cup. These were among the highest earners in the competition, with $ 150,000 awarded for each.
The only other vendor that responded to my request for more information at the time of publication was Red Hat regarding a vulnerability in the QEMA virtual machine. Unfortunately, Red Hat security had nothing that could be shared with me.
I will of course update this article if and when I hear something from the remaining vendors namely Adobe, Apple, Asus, Canonical, Docker, Parallels and VMware. In the meantime, my advice is to keep an eye out for security updates and apply them as soon as possible if you are an Adobe PDF, Apple iOS and Safari user, Asus AX56U Router, Docker CE, Microsoft Exchange, and Windows. 10, Parallels VM, QEMA VM, Ubuntu 20 or VMware ESXi and Workstation.