Skip to Content

Microsoft says Chinese APTs used the most zero-days last year

Although APT groups use zero-day vulnerabilities as part of their attack kill-chains, in its yearly Digital Defense Report last week, Microsoft said it spotted Chinese threat actors using an increased number of zero-days over the past year.

Microsoft believes this sudden spike in zero-day exploits from Chinese threat actors comes as a direct result of a new law passed by the Chinese government last year.

Passed in July 2021 and entered into effect in September 2021, this new law requires that all Chinese security researchers report new vulnerabilities they find to a state security agency.

Faced with criticism at the time it passed the law, the Chinese government said it only wanted to maintain an accurate index of vulnerabilities and make sure local companies don’t dodge responsibility for failing to patch vulnerabilities in time and leaving Chinese users and government networks exposed to attacks.

But the new law also contains several generically-worded clauses that could be interpreted to suggest that the Chinese government was setting up a secret process through which its offensive cyber units could pilfer and suppress the work of the infosec community for the country’s espionage operations.

While no solid evidence has been found so far to support these theories, Microsoft appears to be sold on this narrative in its latest report.

” This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them. The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority.

The company listed five zero-days in its report as possible examples of abuse: two in Zoho ManageEngine (CVE-2021-40539 and CVE-2021-44077), and one in SolarWinds Serv-U (CVE-2021-35211), Atlassian Confluence (CVE-2022-26134), and Microsoft Exchange (CVE-2021-42321).

Were exploits for these zero-days developed by Chinese APTs after they were reported through China’s in-house vulnerability disclosure rules? Possibly. Maybe. Who knows.

Has the same software been repeatedly plagued by major vulnerabilities and zero-day exploits over the past years? Yes! Oh, God, yes!

Maybe that’s a more accurate assessment. You can’t blame Chinese APTs for looking at what everyone else is looking at. Are they getting a little help from the state’s mandatory disclosure law? We’re not convinced so far. China has a huge cybersecurity scene, so there’s no need to “steal” someone’s bug report when you can just as easily buy it from a private contractor who is also going to keep their mouth shut.

In the meantime, please enjoy Microsoft’s latest APT names chart. You’re gonna need it if you wanna decipher any of the company’s APT reports and attributions.

Sample of nation state actors and their activities

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.