Recorded Future says move designed to hide fact that CNNVD routinely delays publication of high-risk flaws so government can assess them for offensive use.
The operators of China's National Vulnerability Database (CNNVD) appear to be systematically delaying publishing information on certain high-threat vulnerabilities so the country's Ministry of State (MSS) can assess them for use in intelligence operations.
That's the assessment of threat-intelligence vendor Recorded Future based on its analysis of some recent changes to the CNNVD.
According to Recorded Future, CNNVD has altered the original publication dates for as many 267 vulnerabilities in the database to make it appear like the information was published weeks before it actually was.
Recorded Future
published research last November saying the CNNVD had a policy of delaying publication of certain high value vulnerabilities while the MSS evaluated them for their potential operational utility. The vulnerability publication date changes seem to have been made after this first research was published.
As one example, Recorded Future pointed to a Microsoft Office bug (CVE-2017-0199) that CNNVD did not publish until 57 days after the US National Vulnerability Database (NVD) had published it. During the publication lag, a Chinese APT group actively exploited the vulnerability, Recorded Future said. In another instance, CNNVD took 236 to publish details on a vulnerability that was used to send what Recorded Future described as vast amounts of user data to servers in China in a likely government surveillance operation.
....
....
....
