The Chinese government delays publication of critical vulnerabilities if they are being actively used in attacks by its own state-backed hackers, a new paper from Recorded Future has claimed.
The report compared the treatment of 300 CVEs by the US National Vulnerability Database (NVD) and China’s National Vulnerability Database (CNNVD).
As per the analyst’s recent report, the CNNVD largely beats the NVD to publishing details of vulnerabilities: taking just 13 days from the initial disclosure versus 33 days in the US.
Further, the CNNVD captures 90% of all vulnerabilities within 18 days, while the NVD takes 92 because it relies on voluntary submissions from vendors.
However, in those cases where the CNNVD lags, Recorded Future claimed it is because the government’s Ministry of State Security (MSS) wants to keep them quiet while Chinese APT groups do their work.
The report claimed the CNNVD — which “appears to be separate from the MSS in name only” — was first to publish flaws being actively used by Chinese government hackers in just 3% of the cases studied.
Recorded Future claimed:
“The probability that NVD would beat CNNVD to publication for this proportion of CVEs is incredibly small — less than .00001%. We believe CNNVD publication was likely delayed by the MSS because Chinese APT groups were actively exploiting those vulnerabilities.”
The report details more evidence: CVE-2017-0199 was actively being exploited by a Chinese APT group during a publication lag of 57 days after the NVD let organizations know about the threat.
Further, info on a pre-installed backdoor that sent large amounts of user data to servers in China was held back for an astonishing 236 days.
The report also revealed that in general, high threat bugs were “consistently published” anywhere from 21 to 156 days later than low-threat flaws.
Recorded Future advised firms not to rely on a single source of data for vulnerability reporting, claiming “CNNVD is typically faster to publication than NVD, but NVD usually contains better content, references, and remediation information”.