The first year of a Chinese law requiring mandatory disclosure to the government of vulnerability reports correlates to a period of increased zero-day exploitation by Beijing-backed hackers.
That’s the conclusion from computing giant Microsoft, which says the mandatory disclosure regulation “might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them.”
The disclosure requirement took effect Sept. 1, 2021, as part of a larger Data Security Law tightening regulations around the processing of Chinese data. Vendors that discover vulnerabilities must report them to authorities within two days for inclusion in China’s National Vulnerability Database.
U.S. cybersecurity company Recorded Future published research in 2017 uncovering a formal process led by lead civilian intelligence agency the Ministry of State Security that likely evaluates reports of high threat vulnerability for their operational utility before publication in the CNNVD.
Even before the law went into effect, a Chinese hacking group that Microsoft dubbed Hafnium used four zero-day exploits to hack on-premises versions of Microsoft Exchange Server. A White House official said victims numbered about 140,000; they included infectious disease researchers, law firms, higher education institutions, defense contractors, think tanks and nongovernmental organizations. The United States and allies in July called the attacks part of a pattern of “irresponsible and destabilizing behavior in cyberspace.”
Chinese hackers later in 2021 found yet another Exchange zero-day, Microsoft says. CVE-2021-42321 emerged during the Tianfu Cup, an international cybersecurity summit and hacking competition held Oct. 16 and 17, 2021, in Chengdu, China. Less than a week later, someone had already used it in the wild.
The computing giant attributes the development and deployment of four additional zero-days to Chinese state-backed actors, as well, including a SolarWinds flaw, CVE-2021-35211; two flaws in the IT help desk software from Zoho, CVE-2021-40539 and CVE-2021-44077; and a bug in Atlassian’s Confluence Server and Data Center, CVE-2022-26134.
On average, it takes 14 days for an exploit to appear in the wild after a vulnerability’s public disclosure, Microsoft says. Sixty days later is typically when a proof of concept emerges and by 120 days later, the vulnerability will be included in automated vulnerability and exploitation tools.