Microsoft experts say that China is accumulating vulnerabilities for their further exploitation in cyber espionage. China’s offensive cyber capabilities have improved due to a law that allowed Beijing to create an arsenal of undocumented software vulnerabilities, according to a Microsoft report.
Let me remind you that we also wrote that Chinese hack group APT10 attacks Taiwanese financial sector, and also that US Authorities List Vulnerabilities That Chinese Hackers Attack.Chinese authorities passed a law in 2021 requiring companies to report vulnerabilities to local authorities before disclosing them to any other organization.
The rules allow Beijing to use local research to gather information about vulnerabilities. A year later, researchers at the Atlantic Council found that the number of bug reports coming from China had decreased while the number of anonymous reports had increased.
Microsoft’s 2022 Digital Security Report argues that the law “may allow the Chinese government to weaponize vulnerabilities”.
Microsoft said the increase in the use of zero-day exploits over the past year by Chinese entities likely reflects China’s demand for disclosure of vulnerabilities to the Chinese security community and an important step in using zero-day exploits as a government priority.
The company described the China-based and backed attackers as “particularly skilled” in terms of prior detection and development of zero-day exploits. Microsoft listed several vulnerabilities that were first exploited by Chinese attackers before they were discovered and exploited by other cybercriminals. This includes:
- CVE-2021-35211 ( SolarWinds Serv-U );
- CVE-2021-40539 ( Zoho ManageEngine ADSelfService Plus );
- CVE-2021-44077 ( Zoho ManageEngine ServiceDesk Plus );
- CVE-2021-42321 (Microsoft Exchange);
- CVE-2022-26134 ( Confluence ).
China has ramped up espionage and information-stealing cyberattacks to counter US attempts to increase its influence in Southeast Asia, according to Microsoft. The 114-page report details several of China’s major attacks, including propaganda campaigns.