Microsoft on Friday accused state-backed hackers in China of abusing the country’s vulnerability disclosure requirements in an effort to discover and develop zero-day exploits. 

In July 2021, the Cyberspace Administration of China (CAC) issued stricter rules around disclosing vulnerabilities for companies operating within its borders. 

Concerns that the Chinese military would exploit vulnerabilities before reporting them more broadly was an integral part of the investigation into the handling of the widespread Log4j vulnerability. Reports emerged earlier this year that the Chinese government had sanctioned Alibaba for reporting the vulnerability to Apache first, rather than to the government. 

The Homeland Security Department’s Cyber Safety Review Board spoke with the Chinese government and “did not find evidence” that China used its advanced knowledge of the weakness to exploit networks.

But in a 114-page security report released on Friday, Microsoft openly accused the Chinese government of abusing the new rules and outlines how state-aligned groups have increasingly exploited vulnerabilities globally since they were implemented.

“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” Microsoft said. 

“While we observe many nation state actors developing exploits from unknown vulnerabilities, China-based nation state threat actors are particularly proficient at discovering and developing zero-day exploits.”

Microsoft said the rules went into effect in September 2021 and marked “a first in the world for a government to require the reporting of vulnerabilities into a government authority for review prior to the vulnerability being shared with the product or service owner.” 

The tech giant added that the regulation “might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them.”

https://therecord.media/microsoft-accuses-china-of-abusing-vulnerability-disclosure-requirements/