The NSA and CIA exploit leaks have thrown the spotlight on US government stockpiles of 0-day exploits — and possibly led to this week’s government declassification of the Vulnerabilities Equities Policy (VEP) process used to decide whether to disclose or retain the exploits it discovers.
There is no doubt that other nations also hold stockpiles of exploits; but there has been little public information on this. While not being a stockpile per se, Recorded Future has today published research suggesting that China delays disclosure of known critical vulnerabilities, sometimes to enable their immediate use by APT groups with probable Chinese government affiliation.
Today’s publication has spun out of earlier research demonstrating that China’s national vulnerability database (CNNVD) — which is run by the Chinese Ministry of State Security (MSS) — is generally faster at publishing vulnerability details than its U.S. equivalent, the NVD. In a few cases, however, it is considerably slower. These ‘outliers’ have now been analyzed by Recorded Future with surprising results.
The research takes a close look at two particular vulnerabilities that were, unusually, published by the U.S. NVD much sooner than by China’s CNNVD. The first is CVE-2017-0199 — the exploit used in the WannaCry and NotPetya outbreaks. Details were published by the NVD on April 12, 2017; but were not published by CNNVD until more than 50 days later (June 7, 2017). The WannaCry outbreak, generally attributed to North Korean hackers, occurred between these two dates.
However, the researchers also point to Proofpoint’s analysis of Chinese threat actors known as TA459 using the same vulnerability in the same timeframe against military and aerospace organizations in Russia and Belarus. “It is likely,” suggests Recorded Future, “that the publication lag for CVE-2017-0199 could have been affected by the MSS which wanted to buy time for the vulnerability to be exploited in its operations or on behalf of another Chinese state-sponsored actor.”
The second ‘outlier’ analyzed by the researchers concerns CVE-2016-10136 and CVE-2016-10138, two vulnerabilities in Android software developed by a company named Shanghai Adups Technology. Kryptowire researchers reported in November 2016 that these vulnerabilities amount to a backdoor in certain Android phones resulting in the transmission of text messages, contact lists, call logs, location information, and other data to a Chinese server.
Details were published by NVD in January 2017, two months after the vulnerability became public knowledge. CNNVD took another eight months before publishing a much less detailed description of the vulnerability. “The systems with these backdoors were overwhelmingly located in China, CNNVD is largely followed and consumed by Chinese businesses and citizens, and the MSS has a mission to collect domestic intelligence. While we cannot determine with certainty that the MSS was exploiting this vulnerability, we believe this is another example of likely MSS interference in the CNNVD publication process.”
In total, the researchers analyzed nearly 300 different CVEs that fell outside of the statistical norm for vulnerability reporting in China. “What we discovered,” they say, “were numerous clear examples of unexplainable behavior in vulnerability reporting by CNNVD, and cases where we believe the MSS likely have interfered to delay publication.”
This is not an example of stockpiling 0-day exploits in the same way as the NSA and the CIA have stockpiled exploits, but are indications that China sometimes delays publication of details either while it is already using the exploits, or to possibly allow for the rapid use of them.
“Our analysis of these critical statistical deviations highlights why an intelligence service should not manage the vulnerability publication process — it is impossible for an intelligence service to equally uphold the mandates for both vulnerability reporting (transparency) and intelligence operations (secrecy). Our analysis of this dataset demonstrates that in China, one mandate is typically sacrificed — that of transparency.”
This is in sharp contrast to the separation of vulnerability reporting away from the intelligence agencies in the U.S.; and the U.S. attempt this week to increase the transparency over its approach towards vulnerabilities.