China Likely Stores and Uses Zero-Day Vulnerabilities Microsoft Notices Increase in Cyber ​​Attacks as Law Requires Vulnerabilities to be Reported to Beijing


Microsoft has claimed that China’s offensive cyber capabilities have improved, thanks to a law that allowed Beijing to create an arsenal of unreported software vulnerabilities. China’s 2021 law required organizations to report security breaches to local authorities before disclosing them to another entity. The rules mean Beijing can use local search to gather information about vulnerabilities. A year later, Atlantic Council researchers found a decrease in reported vulnerabilities from China and an increase in anonymous reports.

On February 23, 2022, the world of cyber security entered a new era, the era of hybrid warfare, when Russia launched physical and digital attacks against Ukraine. This year’s Microsoft Digital Defense Report provides new details about these attacks and the rise in cyber aggression from authoritarian leaders around the world.

Over the past year, cyberattacks targeting critical infrastructure have dropped from 20% of all nation-state attacks detected by Microsoft to 40%. This increase was largely due to Russia’s goal of damaging Ukrainian infrastructure and aggressive espionage targeting Ukraine’s allies, including the United States. Russia has also stepped up its efforts to compromise IT companies to disrupt or obtain intelligence from government agencies that are customers of those companies in NATO member states. 90*% of the Russian attacks detected by Microsoft over the past year are targeting NATO member countries, and 48*% of these attacks are targeting IT companies based in NATO countries.

Russia was not alone in linking political and physical aggression to cyber attacks. Microsoft noted that:

  • Iranian actors have stepped up their bold attacks following a transition to presidential power. They have launched destructive attacks targeting Israel, as well as ransomware and hacking operations beyond regional adversaries to target US and European victims, including US critical infrastructure targets such as port authorities. In at least one case, Microsoft has detected an attack disguised as a ransomware attack designed to delete Israeli data. In another, an Iranian actor carried out an attack that set off emergency missile sirens in Israel.
  • As North Korea entered its most aggressive period of missile testing in the first half of 2022, one of its actors launched a series of attacks to steal technology from aerospace companies and researchers around the world. Another North Korean actor has attempted to gain access to global news media reporting on the country and Christian groups. And yet, a third actor continued his often unsuccessful attempts to break into cryptocurrency companies to steal funds to prop up the country’s struggling economy.
  • China has stepped up its cyber espionage and information theft attacks as it seeks to exert greater regional influence in Southeast Asia and counter growing US interest. In February and March, a Chinese actor targeted 100 accounts associated with a prominent intergovernmental organization in Southeast Asia when the organization announced a meeting between the US government and regional leaders. Just after China and Solomon Islands signed a military agreement, Microsoft discovered malware from a Chinese actor on Solomon Islands government systems. China has also used its cyber capabilities in campaigns targeting countries in the Global South, including Namibia, Mauritius and Trinidad and Tobago, among others.

Microsoft’s 2022 Digital Defense Report, released last Friday, claims that Chinese law may allow the Chinese government to weaponize vulnerabilities.

The increased use of zero-days over the past year by China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and an important milestone in the use of zero-day exploits as a state priority, Microsoft said.

Quote Posted by Microsoft

Many attacks from China are driven by its ability to find and compile zero-day vulnerabilities — single, unpatched bugs in software previously unknown to the security community. China’s collection of these vulnerabilities appears to have grown in the wake of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others.

While it is tempting to focus on nation-state attacks as the most interesting cyber activity of the past year, it would be a mistake to overlook other threats, especially cybercrime, which affect more users in the digital ecosystem than the activity of nation-states. .

The company described China-based and supported malware actors as particularly adept at discovering and developing zero-day exploits.

Microsoft has listed several vulnerabilities that it says were first developed and deployed by Chinese players before being discovered and adopted by other attackers. These attacks include CVE-2021-35211 SolarWinds Serv-U, CVE-2021-40539 Zoho ManageEngine ADSelfService Plus, CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus, CVE-2021-42321 Microsoft Exchange, and CVE-24 Confluence.102 and CVE- 24 Confluence.

According to Microsoft, China has stepped up its cyber espionage and information theft attacks to counter US attempts to increase its influence in Southeast Asia.

Microsoft has detailed several examples of known large-scale campaigns linked to various Chinese state-sponsored threat actors*:

  • the targeting of 100 accounts associated with a major Southeast Asian intergovernmental organization by Gallium as the organization announced meetings between the US government and regional leaders*;
  • Gadolinium malware on Solomon Islands government systems and Radiumon malicious code in Papua New Guinea’s telecommunications network – both likely for intelligence gathering purposes as the Solomons and China strike a deal with the military*;
  • campaigns targeting countries in the South under its Belt and Road Initiative, including Namibia, Mauritius and Trinidad and Tobago, among others, although China sees countries such as Trinidad and Tobago as important partners in the region.

The 114-page report details other tactics, such as China’s participation in foreign propaganda operations alongside Russia and Iran.

Microsoft has credited Russia with increasing the number of cyber attacks targeting critical infrastructure from 20% of all nation-state attacks it detected in 2021 to 40% in 2022, with most attacks due to the fact that Russia is relentlessly targeting Ukraine. Iran has also responded to the deterioration of geopolitical relations by launching campaigns against US port authorities, in addition to attacks on Israel and the European Union. Meanwhile, North Korea continued to steal cryptocurrencies from financial and technology companies while launching attacks on aerospace companies and scientists. The Hermit Kingdom has also attempted to gain access to global news media.

Other report findings

Cybercriminals continue to behave like sophisticated for-profit companies

Cybercrime continues to rise as the industrialization of the cybercrime economy lowers the skill barrier to entry by providing greater access to tools and infrastructure. Within the last year alone, the estimated number of password attacks per second increased by 74*%. Many of these attacks fueled ransomware attacks, resulting in ransom demands more than doubling. However, these attacks were not distributed equally across all regions. In North America and Europe, Microsoft has seen a decrease in the total number of ransomware cases reported to its response teams compared to 2021. At the same time, cases reported in Latin America have increased. Microsoft has also seen a steady year-over-year increase in phishing emails. While Covid-19 themes were less prevalent than in 2020, the war in Ukraine became a new phishing lure starting in early March 2022. Microsoft researchers observed a staggering increase in emails pretending to be legitimate organizations , who solicited cryptocurrency donations in Bitcoin and Ethereum, allegedly to support Ukraine.

Foreign actors use highly effective techniques—often mirror cyberattacks—to enable the influence of propaganda to erode trust and influence public opinion—nationally and internationally.

Influence operations are a new section of Microsoft’s report this year because of its new investments in analytics and data science to combat this threat: We observed how Russia worked hard to convince its citizens and citizens of many other countries that his invasion of Ukraine was justified – while sowing propaganda to discredit Covid-19 vaccines in the West while promoting their effectiveness at home. We have also observed a growing overlap between these operations and cyber attacks.

In particular, influence operations use a well-known three-step approach*:

  • Cyber ​​influence operations pre-plant false stories into the public domain, just as attackers pre-plant malware into an organization’s computer network.
  • A coordinated campaign is launched – often at the most advantageous time to achieve the actor’s goals – to spread the stories through state-sponsored and influenced media and social networks.
  • Nation-state controlled media and proxies amplify narratives within targeted audiences.

Source: Microsoft report

And you?

How do you read this situation?
Are you surprised to discover that Chinese law can be used to store and use security vulnerabilities for its own purposes?

Leave a Comment