
Microsoft’s 2022 Digital Defense Report, released last Friday, reports some troubling information.
They argue that the connectedness of the modern economy and workforce, as well as the number of diverse threats, necessitates the existence of a comprehensive report that empowers customers to anticipate attacks. Microsoft writes, “That is why we share our unique insights on how the digital threat landscape is evolving and the crucial actions that can be taken now to manage the risks.”
In a brief overview, the report details 43 trillion data signals that contributed to the compiling of the report and relies on the expertise and insight of over 8,500 security and intelligence experts. It also claims that this report has contributed to the blocking of 70 billion threats and removal of 10,000 harmful domains.
Needless to say, this report is authoritative and serious.
It’s worrisome that this report asserts a Chinese law “might” be enabling the Chinese government to weaponize vulnerabilities.
The law to which the report refers is China’s 2021 law requiring organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rule essentially means that Beijing can use local research to hoard vulnerability information.
This report follows in-depth research from the Atlantic Council that found there was a decrease in reported vulnerabilities coming from China – and an increase in anonymous reports.
“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” said Microsoft.
The company described China-based and -backed threat actors as “particularly proficient” when it comes to discovering and developing zero-day exploits.
Microsoft listed several vulnerabilities it said were first developed and deployed by Chinese actors before they were discovered and adopted by other attackers. Those attacks include CVE-2021-35211 SolarWinds Serv-U, CVE-2021-40539 Zoho ManageEngine ADSelfService Plus, CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus, CVE-2021-42321 Microsoft Exchange, and CVE-2022-26134 Confluence.
According to Microsoft, China stepped up its espionage and information-stealing cyberattacks in order to counter the USA’s attempts to increase its influence in Southeast Asia.
Microsoft detailed multiple examples of major known campaigns linked to various Chinese state-sponsored threat actors, including the targeting of 100 accounts affiliated with a prominent Southeast Asia intergovernmental organization by Gallium (just as the organization announced meetings between the US government and regional leaders) and campaigns targeting nations across the global South in line with its Belt and Road Initiative.
The 114-page report details other tactics – such as China’s participation in foreign propaganda operations, alongside Russia and Iran.
Also of note, Microsoft credited Russia with increasing the number of cyberattacks targeting critical infrastructure from 20 percent of all nation-state attacks it detected in 2021 to 40 percent in 2022, with most attacks due to Russia relentlessly targeting Ukraine.