Story image

New research finds China tampering with public vulnerability data

12 Mar 2018

New research shows China back-dated and altered public vulnerability data to conceal Ministry of State Security's influence.

In November 2017 Recorded Future conducted a study to compare the publication speeds of the U.S. National Vulnerability Database (NVD) and Chinese National Vulnerability Databases (CNNVD).

NVD was found to trail CNNVD in average time between initial disclosure and database inclusion (33 days versus 13 days). Interestingly, Recorded Future also found that CNNVD is essentially a shell for the Ministry of State Security (MSS).

Just as a recap, the MSS is not just a foreign intelligence service as it also has a large and arguably more important domestic intelligence mandate. Recorded Future says recognising the importance of the domestic mission is key to understanding why MSS would manipulate data that is primarily consumed by Chinese or regional users.

Recorded Future says when they began to analyse the data deeper, anomalies started to appear.

“As we began to re-examine the data on CNNVD, and particularly the “outliers” — CVEs that NVD reported on quickly (six days or less), and that CNNVD took over twice as long as its average delay of 13 days to publish — we noticed that the publication date for the two vulnerabilities we highlighted in November had been altered. Specifically, the initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the report from Recorded Future states.

After Recorded Future re-validated the publication dates for each CVE they identified as a statistical outlier, they discovered that 267 of the 268 CNNVD original publication dates had been altered since November 2017, with an average backdate of 57 days. Each date was changed post-publication to approximate or better than NVD’s publication date.

“Further, the publication dates for many outlier CVEs that were reported outside of our original date range (September 13, 2015 through September 13, 2017) but before our report was published (on November 16, 2017) were also altered in the same manner. We identified 75 new outlier vulnerabilities that were initially published between September 13 and November 16, 2017. Of those 75 CVEs, 72 vulnerabilities were backdated and the publication lags erased,” the report states.

In terms of what this means, Recorded Future believes they have uncovered a formal vulnerability evaluation and obfuscation process at CNNVD in which high-threat CVEs are evaluated for their operational utility by the MSS before publication.

This process involves CNNVD delaying public notification, patching, and remediation guidance so that the MSS could assess whether a vulnerability would be useful in their intelligence operations.

“This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilising, and limit the methods researchers can use to anticipate Chinese APT behavior. There is no other logical explanation as to why only the initial publication dates for outlier CVEs would have been altered,” the report states.

Recorded Future says CNNVD’s manipulation of its vulnerability protection data ultimately reveals more than it conceals, which is mainly a result of the Chinese state’s all-encompassing desire for information control – after all, it has allowed a public service organisation with a transparency mandate to be run by an intelligence service with a secrecy mandate.

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."