Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

China Likely Amasses 0-Days Via Vulnerability Disclosure Law

Microsoft Finds Increased Use of Zero-Days by Chinese Hackers Over Past Year
China Likely Amasses 0-Days Via Vulnerability Disclosure Law
Image: Christian Lue/Pixabay

The first year of a Chinese law requiring mandatory disclosure to the government of vulnerability reports correlates to a period of increased zero-day exploitation by Beijing-backed hackers.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

That's the conclusion from computing giant Microsoft, which says the mandatory disclosure regulation "might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them."

The disclosure requirement took effect Sept. 1, 2021, as part of a larger Data Security Law tightening regulations around the processing of Chinese data. Vendors that discover vulnerabilities must report them to authorities within two days for inclusion in China's National Vulnerability Database.

U.S. cybersecurity company Recorded Future published research in 2017 uncovering a formal process led by lead civilian intelligence agency the Ministry of State Security that likely evaluates reports of high threat vulnerability for their operational utility before publication in the CNNVD.

Even before the law went into effect, a Chinese hacking group that Microsoft dubbed Hafnium used four zero-day exploits to hack on-premises versions of Microsoft Exchange Server. A White House official said victims numbered about 140,000; they included infectious disease researchers, law firms, higher education institutions, defense contractors, think tanks and nongovernmental organizations. The United States and allies in July called the attacks part of a pattern of "irresponsible and destabilizing behavior in cyberspace."

Chinese hackers later in 2021 found yet another Exchange zero-day, Microsoft says. CVE-2021-42321 emerged during the Tianfu Cup, an international cybersecurity summit and hacking competition held Oct. 16 and 17, 2021, in Chengdu, China. Less than a week later, someone had already used it in the wild.

The computing giant attributes the development and deployment of four additional zero-days to Chinese state-backed actors, as well, including a SolarWinds flaw, CVE-2021-35211; two flaws in the IT help desk software from Zoho, CVE-2021-40539 and CVE-2021-44077; and a bug in Atlassian's Confluence Server and Data Center, CVE-2022-26134.

On average, it takes 14 days for an exploit to appear in the wild after a vulnerability's public disclosure, Microsoft says. Sixty days later is typically when a proof of concept emerges and by 120 days later, the vulnerability will be included in automated vulnerability and exploitation tools.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.