Although APT groups use zero-day vulnerabilities as part of their attack kill-chains, in its yearly Digital Defense Report last week, Microsoft said it spotted Chinese threat actors using an increased number of zero-days over the past year.
Microsoft believes this sudden spike in zero-day exploits from Chinese threat actors comes as a direct result of a new law passed by the Chinese government last year.
Passed in July 2021 and entered into effect in September 2021, this new law requires that all Chinese security researchers report new vulnerabilities they find to a state security agency.
Faced with criticism at the time it passed the law, the Chinese government said it only wanted to maintain an accurate index of vulnerabilities and make sure local companies don’t dodge responsibility for failing to patch vulnerabilities in time and leaving Chinese users and government networks exposed to attacks.
But the new law also contains several generically-worded clauses that could be interpreted to suggest that the Chinese government was setting up a secret process through which its offensive cyber units could pilfer and suppress the work of the infosec community for the country’s espionage operations.
While no solid evidence has been found so far to support these theories, Microsoft appears to be sold on this narrative in its latest report.
” This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them. The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority.
The company listed five zero-days in its report as possible examples of abuse: two in Zoho ManageEngine (CVE-2021-40539 and CVE-2021-44077), and one in SolarWinds Serv-U (CVE-2021-35211), Atlassian Confluence (CVE-2022-26134), and Microsoft Exchange (CVE-2021-42321).
Were exploits for these zero-days developed by Chinese APTs after they were reported through China’s in-house vulnerability disclosure rules? Possibly. Maybe. Who knows.
Has the same software been repeatedly plagued by major vulnerabilities and zero-day exploits over the past years? Yes! Oh, God, yes!
Maybe that’s a more accurate assessment. You can’t blame Chinese APTs for looking at what everyone else is looking at. Are they getting a little help from the state’s mandatory disclosure law? We’re not convinced so far. China has a huge cybersecurity scene, so there’s no need to “steal” someone’s bug report when you can just as easily buy it from a private contractor who is also going to keep their mouth shut.
In the meantime, please enjoy Microsoft’s latest APT names chart. You’re gonna need it if you wanna decipher any of the company’s APT reports and attributions.