China delayed flaw notification to exploit them: researchers

By on
China delayed flaw notification to exploit them: researchers
CNNVD page with backdated details on a Microsoft Office vulnerability exploited in the wild. Source: Recorded Future.

Flaws backdated in national database.

Security researchers claim China's Ministry of State Security delayed public notification and patch guidance for a number of vulnerabilities so they could be exploited by state hackers.

Researchers at security vendor Recorded Future compared how China's national vulnerability database (CNNVD) published information about IT threats with its United States equivalent.

They found that the Chinese government had altered the original publication dates for at least 267 vulnerabilities to make it appear they had been published earlier than they actually were.

The researchers claim this indicates the government had delayed publication in order to evaluate the flaws for internal use by the Ministry of State Security (MSS), China's foreign and national intelligence service.

Original publication dates were also altered so as to hide which vulnerabilities the MSS might be using at any given time, Recorded Future claims.

There was "no other logical explanation" for the "systemic retroactive alteration of original publication dates", the researchers argued, but did not provide proof for this assertion.

"The selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities," they said.

"Changing the dates after publication prevents researchers from conducting bulk historical analysis of CVE publication and from identifying vulnerabilities which the MSS or Chinese intelligence services may be exploiting in operations."

They did however find direct evidence that initial CNNVD publication dates for vulnerabilties were backdated, in one case by 236 days, to match those of the US NVD.

They cited two particular CVEs that had been backdated: the CVE-2017-0199 vulnerability against Microsoft Office and Windows Wordpad, and CVE-2016-10136, which exfiltrates large amounts of data from Android phones sold in China and the United States.

Recorded Future conducted an initial study of CNNVD last November to assess how quickly details of vulnerabilities were published.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
china cve recorded future security
In Partnership With

Most Read Articles

Telstra blocks 2.9m scam calls in one month

Telstra blocks 2.9m scam calls in one month
CBA primes app for $10bn welfare payments clawback

CBA primes app for $10bn welfare payments clawback
Gallery: The epic four-day Antarctic trek to maintain ONE IoT device

Gallery: The epic four-day Antarctic trek to maintain ONE IoT device
ANZ prototypes 21 new apps in three-day open banking sprint

ANZ prototypes 21 new apps in three-day open banking sprint
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?
Follow these steps to prevent targeted attacks
Follow these steps to prevent targeted attacks
Your mobile devices may not be secure – learn how to fix that
Your mobile devices may not be secure – learn how to fix that

Events

Log In

Username / Email:
Password:
  |  Forgot your password?