Story image

New research finds China tampering with public vulnerability data

12 Mar 18

New research shows China back-dated and altered public vulnerability data to conceal Ministry of State Security's influence.

In November 2017 Recorded Future conducted a study to compare the publication speeds of the U.S. National Vulnerability Database (NVD) and Chinese National Vulnerability Databases (CNNVD).

NVD was found to trail CNNVD in average time between initial disclosure and database inclusion (33 days versus 13 days). Interestingly, Recorded Future also found that CNNVD is essentially a shell for the Ministry of State Security (MSS).

Just as a recap, the MSS is not just a foreign intelligence service as it also has a large and arguably more important domestic intelligence mandate. Recorded Future says recognising the importance of the domestic mission is key to understanding why MSS would manipulate data that is primarily consumed by Chinese or regional users.

Recorded Future says when they began to analyse the data deeper, anomalies started to appear.

“As we began to re-examine the data on CNNVD, and particularly the “outliers” — CVEs that NVD reported on quickly (six days or less), and that CNNVD took over twice as long as its average delay of 13 days to publish — we noticed that the publication date for the two vulnerabilities we highlighted in November had been altered. Specifically, the initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the report from Recorded Future states.

After Recorded Future re-validated the publication dates for each CVE they identified as a statistical outlier, they discovered that 267 of the 268 CNNVD original publication dates had been altered since November 2017, with an average backdate of 57 days. Each date was changed post-publication to approximate or better than NVD’s publication date.

“Further, the publication dates for many outlier CVEs that were reported outside of our original date range (September 13, 2015 through September 13, 2017) but before our report was published (on November 16, 2017) were also altered in the same manner. We identified 75 new outlier vulnerabilities that were initially published between September 13 and November 16, 2017. Of those 75 CVEs, 72 vulnerabilities were backdated and the publication lags erased,” the report states.

In terms of what this means, Recorded Future believes they have uncovered a formal vulnerability evaluation and obfuscation process at CNNVD in which high-threat CVEs are evaluated for their operational utility by the MSS before publication.

This process involves CNNVD delaying public notification, patching, and remediation guidance so that the MSS could assess whether a vulnerability would be useful in their intelligence operations.

“This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilising, and limit the methods researchers can use to anticipate Chinese APT behavior. There is no other logical explanation as to why only the initial publication dates for outlier CVEs would have been altered,” the report states.

Recorded Future says CNNVD’s manipulation of its vulnerability protection data ultimately reveals more than it conceals, which is mainly a result of the Chinese state’s all-encompassing desire for information control – after all, it has allowed a public service organisation with a transparency mandate to be run by an intelligence service with a secrecy mandate.

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.
Exclusive: Okta’s new GM shares its APAC strategy
“We believe that partnering with systems integrators, independent software vendors and consulting companies is a key factor of success for Okta.”
Three access management trends making waves in APAC
Consumer identity proofing, authentication, and authorisation will top the $37 billion value mark by 2023.
Combatting the rise of Cybercrime-as-a-Service
Amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more. 
ThreatQuotient partners with Visa for payments safety
“Cyber criminals are reusing tactics, techniques and procedures, leaving a recognisable trail of breadcrumbs and insights into the very attacks they are launching.”