Story image

New research finds China tampering with public vulnerability data

12 Mar 18

New research shows China back-dated and altered public vulnerability data to conceal Ministry of State Security's influence.

In November 2017 Recorded Future conducted a study to compare the publication speeds of the U.S. National Vulnerability Database (NVD) and Chinese National Vulnerability Databases (CNNVD).

NVD was found to trail CNNVD in average time between initial disclosure and database inclusion (33 days versus 13 days). Interestingly, Recorded Future also found that CNNVD is essentially a shell for the Ministry of State Security (MSS).

Just as a recap, the MSS is not just a foreign intelligence service as it also has a large and arguably more important domestic intelligence mandate. Recorded Future says recognising the importance of the domestic mission is key to understanding why MSS would manipulate data that is primarily consumed by Chinese or regional users.

Recorded Future says when they began to analyse the data deeper, anomalies started to appear.

“As we began to re-examine the data on CNNVD, and particularly the “outliers” — CVEs that NVD reported on quickly (six days or less), and that CNNVD took over twice as long as its average delay of 13 days to publish — we noticed that the publication date for the two vulnerabilities we highlighted in November had been altered. Specifically, the initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the report from Recorded Future states.

After Recorded Future re-validated the publication dates for each CVE they identified as a statistical outlier, they discovered that 267 of the 268 CNNVD original publication dates had been altered since November 2017, with an average backdate of 57 days. Each date was changed post-publication to approximate or better than NVD’s publication date.

“Further, the publication dates for many outlier CVEs that were reported outside of our original date range (September 13, 2015 through September 13, 2017) but before our report was published (on November 16, 2017) were also altered in the same manner. We identified 75 new outlier vulnerabilities that were initially published between September 13 and November 16, 2017. Of those 75 CVEs, 72 vulnerabilities were backdated and the publication lags erased,” the report states.

In terms of what this means, Recorded Future believes they have uncovered a formal vulnerability evaluation and obfuscation process at CNNVD in which high-threat CVEs are evaluated for their operational utility by the MSS before publication.

This process involves CNNVD delaying public notification, patching, and remediation guidance so that the MSS could assess whether a vulnerability would be useful in their intelligence operations.

“This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilising, and limit the methods researchers can use to anticipate Chinese APT behavior. There is no other logical explanation as to why only the initial publication dates for outlier CVEs would have been altered,” the report states.

Recorded Future says CNNVD’s manipulation of its vulnerability protection data ultimately reveals more than it conceals, which is mainly a result of the Chinese state’s all-encompassing desire for information control – after all, it has allowed a public service organisation with a transparency mandate to be run by an intelligence service with a secrecy mandate.

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Forcepoint and Chillisoft - “a powerful combination”
Following Chillisoft’s portfolio expansion by signing on Forcepoint, the companies’ execs explain how this is a match made in cybersecurity heaven.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.