Tianfu Cup Round-Up: Safari, Chrome, D-Link Routers and Office 365 Successfully Hacked

White-hat hackers using never-before-seen zero days against popular applications and devices against competed at two-day gathering in Chengdu.

Hackers over the weekend successfully compromised widely used software and hardware–including browsers Safari and Chrome, D-Link routers and the Office 365 suite–using zero-day vulnerabilities at the annual Tianfu Cup gathering.

The hacking competition, held in Chengdu, China, is very similar to Pwn2Own, the bi-annual international hacking contest. For two days—Nov. 16 and 17–white-hat hackers compete at the Tianfu Cup to test their skills against popular software and hardware.

However, the contest in China is not an international one. It’s focused solely on Chinese security experts, who used to take part—often with great success–in international competitions until they were prohibited in 2018 by the Chinese government from doing so.

The key aim of the Tianfu Cup is for hackers to take over apps or devices using vulnerabilities that haven’t been seen before.

Competitors—who also compete on the speed with which they can take down systems—can win not only cash prizes, but also earn bragging rights that come with being victorious at a well-respected hacking contest.

Some of the world’s top software and devices proved vulnerable to new zero-day exploits at the event, according to the Twitter feed dedicated to the contest as well as published reports.

On day one of the competition, teams of hackers successfully used exploits against a number of popular browsers as well as other applications. Organizers said that hackers achieved the following: three hacks against the older version of Microsoft Edge based on EdgeHTML; two hacks against Google Chrome; one hack against Safari; one hack against Microsoft Office 365; and two hacks against Adobe PDF Reader.

Hackers that day also successfully used three exploits to break into and take control of D-Link’s DIR-878 router, as well as compromised qemu-kvm running on Ubuntu.

On day two, four more hacking teams also demonstrated a successful break-in of the D-Link DIR-878 router, while two more teams came out on top again over Adobe PDF Reader, according to organizers.

The big winner of that day, however, was one of the two successful exploits against VMWare that were achieved. Team 360Vulcan hacker @xiaowei won $200,000—the largest bounty of the event—for his hack, organizers said.

Not all the attempts to exploit new zero-day vulnerabilities were successful, however–particularly on day two, organizers acknowledged. Hackers had to give up on eight of 16 hacking attempts that didn’t go as planned that day.

Team 360Vulcan went on to win the event and take home a total of $382,500 for showing off various successful exploits. The team is comprised of well-known hackers who previously won Pwn2Own and are notorious for their skills and persistent activity, one security researcher Tweeted.

“I’m not at all surprised to see 360Vulcan has an exploit in every category,” Twitter user thaddeus e. grugq commented. “They are a large team with a lot of skilled people. Also, they always dominate by quantity in pwn contests, they go after everything.”

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.