Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/16/2018
05:36 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian National Vulnerability Database Operation Raises Suspicions

Recorded Future says Russia's Federal Service for Technical and Export Control has ability to find, weaponize vulnerabilities under cover of doing technology inspections.

The official mission of the organization in charge of maintaining Russia's national vulnerability database gives it legitimate cover for inspecting foreign technologies and products for security vulnerabilities that can later be weaponized.

That's according to Recorded Future, which Monday released a report summarizing its analysis of the vulnerability disclosure practices and mission of the Federal Service for Technical and Export Control of Russia (FSTEC), the military organization responsible for BDU, the nation's official vulnerability database.

The analysis revealed that the FSTEC's extensive list of responsibilities includes the authority to test and inspect proprietary products and services for issues that could pose a risk to state and critical infrastructure security. That mission is troubling, says Priscilla Moriuchi, director of strategic threat development at Recorded Future.

"The primary threat to Western companies is from the technology licensing process," Moriuchi says. "During these inspections the Russian military could discover and operationalize vulnerabilities in proprietary products or services," she says.

The threat from having to work with the FSTEC — and by extension the Russian military — is not to the companies directly or to their intellectual property. Rather, what is concerning is the derivative risk for computer users around the world.

"Russia has demonstrated during at least two incidents in the past year a willingness to exploit western technologies, companies, and accesses in an attempt to obtain the information or communications of their customers," Moriuchi says.

The two incidents are the April targeting of network devices and the more recent attacks involving VPNFilter. "The [national vulnerability] database provides a legitimate cover under which the Russian government can demand reviews of foreign technologies and products," she notes.

Recorded Future performed a similar analysis of China's vulnerability disclosure practices last November. The report concluded that China's Ministry of State Security likely influences security vulnerability disclosures in the country especially in the case of high-value security flaws that could be used for surveillance and other offensive purposes.

Russia's FSTEC publishes only about 10% of the vulnerabilities it knows about and that too about 50 days after the data has been published in the U.S. and 83 days after it appears in China's NVD, according to Recorded Future.

A majority of the vulnerabilities in BDU are those that primarily present a threat to Russian state-owned information systems and automated systems for managing technical processes and production and critical infrastructure facilities. The data is publicly accessible and is designed for use by a wide range of people including security professionals, operators of critical infrastructure, and developers.

Unlike China's Ministry of State Security, which has a penchant for delaying or hiding data on vulnerabilities that the state can exploit for surveillance and other offensive purposes, Russia's FSTC over-reports on vulnerabilities that have been exploited by Russian state-sponsored threat groups. "Our analysis reveals that the BDU actually publishes 61% of vulnerabilities utilized by Russian military intelligence groups and does not seek to hide these vulnerabilities."

The number is noteworthy because it is significantly larger than the 10% of other vulnerabilities that the FSTC normally discloses. One reason could be to ensure that owners and operators of government and critical infrastructure systems are properly informed of the threats so they can protect against them.

The FSTEC started publishing vulnerability data only in 2014, about 15 years after the US started the practice. Somewhat unsurprisingly, the BDU contains data on just about 11,000 vulnerabilities compared to the 107,901 in the U.S. NVD — though that could also be the result of the FSTEC's habit of occasionally lumping multiple vulnerabilities under a single identifier. Among the vulnerabilities the organization published fastest were those related to browsers and industrial control systems.

Recorded Future's analysis showed that the FSTEC reports on vulnerabilities in some technologies relatively extensively while it under-reports flaws in the case of some other technologies. For instance, the FSTEC discloses a substantially greater proportion of flaws in Adobe, Linux, Microsoft, and Apple than it does with flaws in content management systems and technologies from IBM and Huawei.

What is unclear, however, is why FSTEC is even publishing the data considering just how delayed, state-focused and sparse the data is, Recorded Future noted in its report. In fact, the vulnerability data in the BDU reveals more about Russia's state information systems and the FSTEC's mission itself than anything else, the vendor said.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...