China Might Be Hoarding and Deploying Undisclosed Vulnerabilities, Microsoft Says

A recent Microsoft report claims that China might have improved its cybersecurity capabilities by keeping quiet after finding vulnerabilities and allowing government entities to weaponize them.

Last year, China adopted a series of laws requiring software and hardware makers and network operators to report any security vulnerability to local authorities before telling anyone else.

“China’s vulnerability reporting regulation went into effect September 2021, marking a first in the world for a government to require the reporting of vulnerabilities into a government authority for review prior to the vulnerability being shared with the product or service owner,” according to Microsoft.

Although the government said the regulations were to enhance cybersecurity defenses, experts believe that gatekeeping undisclosed vulnerabilities could have paved the way for their weaponization by China-based threat actors.

“While we observe many nation state actors developing exploits from unknown vulnerabilities, China-based nation state threat actors are particularly proficient at discovering and developing zero-day exploits,” reads Microsoft’s 2022 Digital Defense Report. “The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority.”

In its detailed report, the company highlighted several vulnerabilities allegedly discovered and exploited by China-based perpetrators before they were disclosed, including:

• CVE-2021-35211 SolarWinds Serv-U
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus
• CVE-2021-44077 Zoho ManageEngineServiceDesk Plus
• CVE-2021-42321 Microsoft Exchange
• CVE-2022-26134 Confluence

It also described some of the most notorious malicious campaigns linked to China-backed actors, including:

• RADIUM attacks against “an energy company and an energy-associated government agency in Vietnam, and an Indonesian government agency”
• GALLIUM APT group compromising over 100 accounts associated with a Southeast Asian intergovernmental organization (IGO)
• Solomon Islands government systems being infected with GADOLINIUM malware
• RADIUM infecting Papua New Guinea telecommunications company systems with malicious code

Specialized software such as Bitdefender Ultimate Security can protect you against zero-day exploits and other types of cyberthreats with its comprehensive list of features, which includes:

• 24/7 all-around protection against viruses, worms, Trojans, rootkits, ransomware, zero-day exploits, spyware, and other digital threats
• Network threat prevention technology that detects and blocks suspicious network-level activities, including botnet-related URLs, brute force attacks, and state-of-the-art exploits
• Behavioral detection module that thoroughly scans active apps and takes instant action upon detecting suspicious activity
• Vulnerability assessment component that scans your system for potential security hazards and indicates the best way to fix them