China is doing a better job finding and disclosing information on software security holes…except when those vulnerabilities are high risk and might be used in targeted attacks. That, according to a report out Thursday by the firm Recorded Future.
Disclosure of vulnerabilities associated with malicious software used by China-affiliated advanced persistent threat (APT) groups were delayed considerably compared to disclosure of the same hole in the U.S. National Vulnerability Database (NVD). However, vulnerabilities that were not used in offensive cyber operations were more likely to be disclosed on China’s national vulnerability database (CNNVD) before or at the same time as disclosure on the US NVD.
“High-threat vulnerabilities were consistently published substantially later (anywhere from 21 to 156 days later) than Low-threat vulnerabilities,” Recorded Future found. In fact, NVD beat CNNVD in publishing information on 97 percent of the vulnerabilities commonly exploited by malware linked to Chinese APT groups. Statistically, the probability that NVD would beat CNNVD to publication for that big a share of CVEs is incredibly small — less than .00001 percent, Recorded Future said.
Their conclusion? “We believe CNNVD publication was likely delayed by the (Chinese Ministry of State Security) because Chinese APT groups were actively exploiting those vulnerabilities.”
The report follows research from the same firm in October that found China’s CNNVD was generally disclosing new software holes before its US counterpart. That study found that CNNVD is on average about 3 weeks faster to disclose vulnerabilities compared to the U.S. (13 days vs. 33 days). The reason was that China aggregates vulnerability information from across the web rather than waiting for voluntary submission by vendors, as the US NVD does. Compared with CNNVD, almost 1,800 known CVEs were missing from the U.S. database, Recorded Future found.
Upon deeper examination, however, Recorded Future noted inconsistencies in the overall pattern of China disclosing vulnerabilities first. Namely: for the subset of critical and exploitable security holes, 44 in all, CNNVD lags far behind its western counterparts. “Even though CNNVD beats NVD to publication 43 percent of the time, for vulnerabilities exploited by malware linked to Chinese APT groups, CNNVD was first to publish for only three percent of those,” Recorded Future found. Further: CNNVD takes much longer to publish vulnerabilities with high CVSS scores – a measure of the ease with which they can be exploited – than it does to publish vulnerabilities with low CVSS scores, even though there is no difference in the amount of published context. That suggests that CNNVD might have different reporting and evaluation process for high-threat vulnerabilities.
Recorded Future focused on vulnerabilities where the pattern of disclosure by NVD and CNNVD diverged. Specifically, out of the 17,940 vulnerabilities Recorded Future studied that were publicly disclosed and then incorporated by both NVD and CNNVD between September 13, 2015 and September 13, 2017, 268 vulnerabilities (or approximately 1.5 percent) took less than six days for NVD to publish and longer than 28 days for CNNVD to publish. Of those, nearly 43 percent had a Common Vulnerability Scoring System (CVSS) severity rating of High, while 45 percent had a Medium CVSS rating, and 12 percent were Low. Most of the delayed vulnerabilities (74 percent) were published by CNNVD 28 to 50 days after the initial disclosure of the bug; however, 11 percent were published in 51 to 91 days, and 15 percent took over 120 days to publish, Recorded Future found.
The pattern around high risk vulnerabilities with CNNVD is exactly the opposite of the US NVD, where more serious vulnerabilities have a shorter release time. On average, CNNVD takes three days longer to report a vulnerability with a High score than a Low-Medium score, Recorded Future found.
The data suggests that CNNVD, which Recorded Future concludes operates as part of China’s Ministry of State Security, may have been subsumed by that country’s intelligence services and asked to play a role in cyber operations: keeping reports of the most dangerous software holes under wraps while state-sponsored hackers exploit those holes to gain access to sensitive computers and networks. “CNNVD is essentially a shell; it has a website but appears to be separate from CNITSEC and the MSS in name only,” the report reads.
“We discovered..numerous clear examples of unexplainable behavior in vulnerability reporting by CNNVD, and cases where we believe the MSS likely have interfered to delay publication… This data points to a larger conclusion, that China has a vulnerability evaluation process in which High-threat vulnerabilities are likely evaluated for their utility in intelligence operations before publication by CNNVD.”
The report comes as the Trump Administration, on Wednesday, released the latest US government guidelines on the use of so-called “vulnerability equities,” or software holes that might be used in offensive cyber actions. That document sets up a process for reaching decisions about whether to disclose or restrict information about a vulnerability by consulting stakeholder agencies.
The White House said factors such as prevalence, reliance, and severity will be used to determine whether a particular security hole may be publicly disclosed or held back.