Story image

New research finds China tampering with public vulnerability data

12 Mar 2018

New research shows China back-dated and altered public vulnerability data to conceal Ministry of State Security's influence.

In November 2017 Recorded Future conducted a study to compare the publication speeds of the U.S. National Vulnerability Database (NVD) and Chinese National Vulnerability Databases (CNNVD).

NVD was found to trail CNNVD in average time between initial disclosure and database inclusion (33 days versus 13 days). Interestingly, Recorded Future also found that CNNVD is essentially a shell for the Ministry of State Security (MSS).

Just as a recap, the MSS is not just a foreign intelligence service as it also has a large and arguably more important domestic intelligence mandate. Recorded Future says recognising the importance of the domestic mission is key to understanding why MSS would manipulate data that is primarily consumed by Chinese or regional users.

Recorded Future says when they began to analyse the data deeper, anomalies started to appear.

“As we began to re-examine the data on CNNVD, and particularly the “outliers” — CVEs that NVD reported on quickly (six days or less), and that CNNVD took over twice as long as its average delay of 13 days to publish — we noticed that the publication date for the two vulnerabilities we highlighted in November had been altered. Specifically, the initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the report from Recorded Future states.

After Recorded Future re-validated the publication dates for each CVE they identified as a statistical outlier, they discovered that 267 of the 268 CNNVD original publication dates had been altered since November 2017, with an average backdate of 57 days. Each date was changed post-publication to approximate or better than NVD’s publication date.

“Further, the publication dates for many outlier CVEs that were reported outside of our original date range (September 13, 2015 through September 13, 2017) but before our report was published (on November 16, 2017) were also altered in the same manner. We identified 75 new outlier vulnerabilities that were initially published between September 13 and November 16, 2017. Of those 75 CVEs, 72 vulnerabilities were backdated and the publication lags erased,” the report states.

In terms of what this means, Recorded Future believes they have uncovered a formal vulnerability evaluation and obfuscation process at CNNVD in which high-threat CVEs are evaluated for their operational utility by the MSS before publication.

This process involves CNNVD delaying public notification, patching, and remediation guidance so that the MSS could assess whether a vulnerability would be useful in their intelligence operations.

“This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilising, and limit the methods researchers can use to anticipate Chinese APT behavior. There is no other logical explanation as to why only the initial publication dates for outlier CVEs would have been altered,” the report states.

Recorded Future says CNNVD’s manipulation of its vulnerability protection data ultimately reveals more than it conceals, which is mainly a result of the Chinese state’s all-encompassing desire for information control – after all, it has allowed a public service organisation with a transparency mandate to be run by an intelligence service with a secrecy mandate.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.