China's Ministry of State Security

China caught pushing Vulnerability Reporting Delays down the Memory Hole

China is attempting to cover up inexplicable delays in public reporting of high-risk software security holes by changing the dates of vulnerability-publication to its national vulnerability database so they match those in the U.S. database, according to new research by Recorded Future.

In November, a previous report from the firm discovered that China is finding and disclosing information on software security holes faster than the United States–except when those vulnerabilities are high risk and might be used in targeted attacks.

Now Recorded Future has discovered that China National Vulnerability Database (CNNVD) altered the original publication dates for at least 267 vulnerabilities in its research published in November 2017. The firm said it expects the changes were made to conceal evidence it revealed in its previous report.

The finding is just the latest red flag Recorded Future has raised in connection with CNNVD, which is managed by China’s Ministry of State Security (MSS).

“CNNVD takes longer to publish high threat vulnerabilities than low threat vulnerabilities,” Priscilla Moriuchi, the director of strategic threat development at Recorded Future told Security Ledger. “That’s the opposite of (US based) NVD. CNNVD is also slower to publish vulnerabilities with known exploits. NVD is generally fast in that category as well. These all were adding up for us and making the case that (The Ministry of State Security) was interfering in this process.”

China's Ministry of State Security
China’s Ministry of State Security is in charge of the country’s national vulnerability database, CNNVD -an arrangement that is producing problems with accuracy and transparency.

China’s National Vulnerability Database has a website but appears to be separate from the MSS in name only, the firm said in previous research. MSS is akin to the US Central Intelligence Agency. Unlike the CIA, however, MSS is not just a foreign intelligence service, but it also has a large, and arguably more important domestic intelligence mandate.

“Recognizing the importance of the domestic mission is key to understanding why the MSS would manipulate data that is primarily consumed by Chinese or regional users,” according to Recorded Future.

In other words, China is in no hurry to publish information about serious vulnerabilities because it wants to give MSS time to evaluate how the government might use them in offensive cyber operations. “CNNVD’s outright manipulation of these dates implicitly confirmed this assessment,” the firm said.

Covering its tracks

Now it seems China also is trying to cover its tracks and hide its intent. The dates changed in the CNNVD were for vulnerabilities Recorded Future identified in its November research as “statistical outliers”–critical vulnerabilities that the U.S. NVD had reported on quickly (in six days or less) and the CNNVD took more than twice as long as its average of 13 days to report.

Recorded Future analysts first noticed the discrepancies between publication dates in two Microsoft Office security holes identified as outliers in its November report.

“Specifically, the initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the firm said in its report. Screenshots of the vulnerabilities records from November and February, respectively, are provided in the report, highlighting the date alteration.

“Both sets of screenshots show that the original publication date for each CVE (Common Vulnerability and Exposure) was altered sometime between October 24, 2017, and February 13, 2018 to reflect a date closer to NVD’s publication date,” according to Recorded Future.

The firm dug deeper and re-validated publication dates for each CVE identified in the November report as one that was reported later than average in the CNNVD. It found that 267 of the 268 CNNVD original publication dates had been altered since November 17. Moreover, each date was changed post-publication to approximate or beat publication date in the U.S. vulnerability database, the firm said.

Recorded Future published a complete list of the altered CVEs online.

“What we found was that CNNVD had changed the publication date to hide the publication lag,” Moriuchi said.”This would hide the evidence of (Ministry of State Security) influence and any other processes that would create the publication lag in the first place and it would limit the methods we were using and any other organizations would use to anticipate Chinese APT behavior.”

China didn’t just change dates for CVEs examined in Recorded Future’s November report. The firm identified 74 new outlier vulnerabilities, published between September 13 and November 16, 71 of which “were backdated and the publication lags erased,” researchers said.

“Essentially they manipulated their own data to get rid of the data leakage that was giving people information – possibly- about their operations,” Moriuchi said.

Liability, compliance ramifications

In addition to the worrisome potential for exploitation of vulnerabilities by China, there are other reasons the results of the most recent report are troubling.

From a public service and transparency perspective, there could be larger liability issues for companies and institutions that rely solely on CNNVD data, researchers said.

“If a company is victimized by an exploit for a vulnerability during the altered period of time, unless they kept a historical record of all CNNVD initial report dates, they could face questions about why they did not remediate a vulnerability for which they did not know about,” according to the Recorded Future report.

Additionally, China recently instituted a Cybersecurity Law (CSL) mandating that companies operating in China adopt a “tiered system of network security protections,” researchers said. The law allows the state to hold companies both legally and financially responsible for what officials deem a “network security incident.”

In light of the activity uncovered by Recorded Future, for a  foreign multinational company to comply with all the provisions of the CSL could mean that it may at the same time violate Western laws or regulations against cooperating with Chinese security and intelligence services.

Moriuchi said that the US National Vulnerability Database can help combat the data cleansing operation by keeping track of the date of publication on CNNVD and not allowing it to change even as CNNVD scrubs its data. However, CNNVD could counter by posting back-dated alerts, which could be harder to track without a concentrated effort to capture particular instances of the CNNVD data at certain points of time.

Moriuchi said that the more worrying issue is China’s willingness to cloud or distort information to serve its ends. After all, vulnerabilities published on the US NVD or China’s CNNVD have already been publicly disclosed. That means they are unlike so-called vulnerability “equities”:  undisclosed software vulnerabilities that state intelligence agencies discover (or purchase) and may keep secret for use in offensive cyber operations.

“Why would China want to manipulate this information that is already in the public domain?” Moriuchi asks. “That gets to the mission of the MSS. It’s rough equivalent is the CIA, but foreign intelligence is only half the mission. The other half is the domestic control and monitoring mandate. And this fits right in within that half of their mandate. which is controlling the information environment in China and tracking its citizens. To us, this is more of an example of how they’re trying to leverage their own information to control the information environment in China rather than to control foreigners of the international community.”

Paul Roberts contributed to this story.