Story image

New research finds China tampering with public vulnerability data

12 Mar 2018

New research shows China back-dated and altered public vulnerability data to conceal Ministry of State Security's influence.

In November 2017 Recorded Future conducted a study to compare the publication speeds of the U.S. National Vulnerability Database (NVD) and Chinese National Vulnerability Databases (CNNVD).

NVD was found to trail CNNVD in average time between initial disclosure and database inclusion (33 days versus 13 days). Interestingly, Recorded Future also found that CNNVD is essentially a shell for the Ministry of State Security (MSS).

Just as a recap, the MSS is not just a foreign intelligence service as it also has a large and arguably more important domestic intelligence mandate. Recorded Future says recognising the importance of the domestic mission is key to understanding why MSS would manipulate data that is primarily consumed by Chinese or regional users.

Recorded Future says when they began to analyse the data deeper, anomalies started to appear.

“As we began to re-examine the data on CNNVD, and particularly the “outliers” — CVEs that NVD reported on quickly (six days or less), and that CNNVD took over twice as long as its average delay of 13 days to publish — we noticed that the publication date for the two vulnerabilities we highlighted in November had been altered. Specifically, the initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the report from Recorded Future states.

After Recorded Future re-validated the publication dates for each CVE they identified as a statistical outlier, they discovered that 267 of the 268 CNNVD original publication dates had been altered since November 2017, with an average backdate of 57 days. Each date was changed post-publication to approximate or better than NVD’s publication date.

“Further, the publication dates for many outlier CVEs that were reported outside of our original date range (September 13, 2015 through September 13, 2017) but before our report was published (on November 16, 2017) were also altered in the same manner. We identified 75 new outlier vulnerabilities that were initially published between September 13 and November 16, 2017. Of those 75 CVEs, 72 vulnerabilities were backdated and the publication lags erased,” the report states.

In terms of what this means, Recorded Future believes they have uncovered a formal vulnerability evaluation and obfuscation process at CNNVD in which high-threat CVEs are evaluated for their operational utility by the MSS before publication.

This process involves CNNVD delaying public notification, patching, and remediation guidance so that the MSS could assess whether a vulnerability would be useful in their intelligence operations.

“This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilising, and limit the methods researchers can use to anticipate Chinese APT behavior. There is no other logical explanation as to why only the initial publication dates for outlier CVEs would have been altered,” the report states.

Recorded Future says CNNVD’s manipulation of its vulnerability protection data ultimately reveals more than it conceals, which is mainly a result of the Chinese state’s all-encompassing desire for information control – after all, it has allowed a public service organisation with a transparency mandate to be run by an intelligence service with a secrecy mandate.

Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.